BOSTON  PUBLIC  LIBRARY 


3  9999  05903  786  9 


H.R.  4585-THE  MEDICAL  HNANCIAL  PRIVACY 
\6^  PROTECTION  ACT 


H.  B^^/i 


HEARING 


BEFORE  THE 


COMMITTEE  ON  BANKING  AND 
FINANCIAL  SERVICES 

U.S.  HOUSE  OF  REPRESENTATIVES 


ONE  HUNDRED  SIXTH  CONGRESS 
SECON0  SESSION 


JUNE  14,  2000 


Printed  for  the  use  of  the  Committee  on  Banking  and  Financial  Services 


Serial  No.  106-63 


65-149  CC 


U.S.   GOVERNMENT  PRINTING  OFFICE 
WASHINGTON  :  2000 


For  sale  by  the  Superintendent  of  Documents,  Congressional  Sales  OfHce 
U.S.  Government  Printing  GiTice,  Washington,  DC  20402 


HOUSE  COMMITTEE  ON  BANKING  AND  FINANCIAL  SERVICES 


JAMES  A.  LEACH,  Iowa,  Chairman 
BILL  McCOLLUM,  Florida,  Vice  Chairman 


MARGE  ROUKEMA,  New  Jersey 

DOUG  K.  BEREUTER,  Nebraska 

RICHARD  H.  BAKER,  Louisiana 

RICK  LAZIO,  New  York 

SPENCER  BACHUS  III,  Alabama 

MICHAEL  N.  CASTLE,  Delaware 

PETER  T.  KING,  New  York 

TOM  CAMPBELL,  California 

EDWARD  R.  ROYCE,  California 

FRANK  D.  LUCAS,  Oklahoma 

JACK  METCALF,  Washington 

ROBERT  W.  NEY,  Ohio 

BOB  BARR,  Georgia 

SUE  W.  KELLY,  New  York 

RON  PAUL,  Texas 

DAVE  WELDON,  Florida 

JIM  RYUN,  Kansas 

MERRILL  COOK,  Utah 

BOB  RILEY,  Alabama 

RICK  HILL,  Montana 

STEVEN  C.  LaTOURETTE,  Ohio 

DONALD  A.  MANZULLO,  Illinois 

WALTER  B.  JONES  Jr.,  North  CaroUna 

PAUL  RYAN,  Wisconsin 

DOUG  OSE,  California 

JOHN  E.  SWEENEY,  New  York 

JUDY  BIGGERT,  Illinois 

LEE  TERRY,  Nebraska 

MARK  GREEN,  Wisconsin 

PATRICK  J.  TOOMEY,  Pennsylvania 


JOHN  J.  LaFALCE,  New  York 
BRUCE  F.  VENTO,  Minnesota 
BARNEY  FRANK,  Massachusetts 
PAUL  E.  KANJORSKI,  Pennsylvania 
MAXINE  WATERS,  California 
CAROLYN  B.  MALONEY,  New  York 
LUIS  V.  GUTIERREZ,  Illinois 
NYDIA  M.  VELAZQUEZ,  New  York 
MELVIN  L.  WATT,  North  Carolina 
GARY  L.  ACKERMAN,  New  York 
KENNETH  E.  BENTSEN  Jr.,  Texas 
JAMES  H.  MALONEY,  Connecticut 
DARLENE  HOOLEY,  Oregon 
JULIA  M.  CARSON,  Indiana 
ROBERT  A.  WEYGAND,  Rhode  Island 
BRAD  SHERMAN,  California 
MAX  SANDLIN,  Texas 
GREGORY  W.  MEEKS,  New  York 
BARBARA  LEE,  California 
FRANK  R.  MASCARA,  Pennsylvania 
JAY  INSLEE,  Washington 
JANICE  D.  SCHAKOWSKY,  Illinois 
DENNIS  MOORE,  Kansas 
CHARLES  A.  GONZALEZ,  Texas 
STEPHANIE  TUBBS  JONES,  Ohio 
MICHAEL  E.  CAPUANO,  Massachusetts 
MICHAEL  P.  FORBES,  New  York 

BERNARD  SANDERS,  Vermont 


(II) 


CONTENTS 


Page 

Hearing  held  on: 

June  14,  2000  1 

Appendix: 

June  14,  2000  65 


WITNESSES 
Wednesday,  June  14,  2000 

Bartlett,  Hon.  Steven,  President,  Financial  Services  Roundtable  36 

Beason,    Nicole,    Esther    Peterson    Fellow,    Washington    Office,    Consumers 

Union 50 

Brain,  Donald  C,  Jr.,  CPA,  AAI,  President,  Lockton  Benefit  Group,  on  behalf 

of  the  Independent  Insurance  Agents  of  America  38 

Breitenstein,  A.G.,  JD,  MPH,  Chief  Privacy  Officer,  ChoosingHealth.com  52 

Gensler,  Hon.  Gary,  Under  Secretary  for  Domestic  Finance,  Department  of 

the  Treasury  5 

Harding,    Dr.    Richard    K.,    M.D.,    President-elect,    American    Psychiatric 

Association;  Vice  Chair,  Clinical  Affairs  and  Professor  of  Psychiatrics  and 

Pediatrics,  University  of  South  Carolina  School  of  Medicine  35 

Hendricks,  Evan,  Editor  and  Publisher,  "Privacy  Times"  54 

Meyer,  Robbie,  Senior  Counsel,  American  Council  of  Life  Insurers 43 

Mierzwinski,    Edmund,   Consumer   Program    Director,    U.S.    Public   Interest 

Research  Group  56 

Pritts,  Joy  L.,  Senior  Counsel,  Health  Privacy  Project,  Institute  for  Health 

Care  Research  and  Policy,  Georgetown  University  58 

Rheel,  Robert  H.,  Senior  Vice  President,  Fireman's  Fund,  on  behalf  of  the 

American  Insurance  Association  40 

Sebelius,  Hon.  Kathleen,  Commissioner  of  Insurance,  State  of  Kansas;  Vice 

President,  National  Association  of  Insurance  Commissioners  25 

Weich,  Ronald,  Partner,  Zuckerman,  Spaeder,  Goldstein,  Taylor  &  Kolker, 

L.L.P.,  on  behalf  of  the  American  Civil  Liberties  Union  60 

Yingling,  Edward  L.,  Deputy  Executive  Vice  President,  Executive  Director 

of  Government  Relations,  American  Bankers  Association  41 


(III) 


Page 
APPENDIX 

Prepared  statements: 

Leach,  Hon.  James  A 66 

Jones,  Hon.  Stephanie  T 68 

Kelly,  Hon.  Sue  W 70 

LaFalce,  Hon.  John  J 71 

Lee,  Hon.  Barbara  73 

Maloney,  Hon.  Carolyn  B 74 

Markey,  Hon.  Edward  J 75 

Roukeraa,  Hon.  Marge 77 

Bartlett,  Hon.  Steven  155 

Season,  Nicole 196 

Brain,  Donald  C,  Jr 159 

Breitenstein,  A.G 202 

Gensler,  Hon.  Gary 78 

Harding,  Dr.  Richard  K.,  M.D 150 

Hendricks,  Evan  207 

Meyer,  Robbie  182 

Mierzwinski,  Edmund  211 

Pritts,  Joy  L 214 

Rheel,  Robert  H 163 

Sebelius,  Hon.  Kathleen  (with  attachments)  87 

Welch,  Ronald  220 

Yingling,  Edward  L 171 


Additional  Material  Submitted  for  the  Record 
America's  Community  Bankers,  policy  statement,  June  14,  2000 233 


(IV) 


H.R.  4585— THE  MEDICAL  FINANCIAL 
PRIVACY  PROTECTION  ACT 


WEDNESDAY,  elUNE  14,  2000 

U.S.  House  of  Representatives, 
Committee  on  Banking  and  Financial  Services, 

Washington,  DC. 

The  committee  met,  pursuant  to  call,  at  10:05  a.m.,  in  room 
2128,  Rayburn  House  Office  Building,  Hon.  James  A.  Leach, 
[chairman  of  the  committee],  presiding. 

Present:  Chairman  Leach;  Representatives  Roukema,  Bereuter, 
Lucas,  Barr,  Kelly,  Ryun,  Biggert,  Terry,  Green,  LaFalce,  C. 
Maloney  of  New  York,  Gutierrez,  Ackerman,  Bentsen,  J.  Maloney 
of  Connecticut,  Hooley,  Carson,  Lee,  Inslee,  Schakowsky,  Moore, 
Gonzalez,  Jones  and  Capuano. 

Chairman  Leach.  The  hearing  will  come  to  order. 

The  committee  meets  today  to  hear  testimony  on  H.R.  4585,  the 
Medical  Financial  Privacy  Protection  Act,  and  other  measures  in 
this  arena  which  are  designed  to  protect  the  most  sensitive 
information  about  an  individual  that  is  held  by  a  financial  firm. 

Before  summarizing  this  proposal,  let  me  review  the  legislative 
background  of  the  issue. 

Last  year,  in  consideration  of  H.R.  10,  the  Financial  Services 
Modernization  Act,  this  committee  for  the  first  time  in  the  long  his- 
tory of  bank  reform  legislation  approved  a  privacy  package.  In  ad- 
dition to  erecting  privacy  shields  for  American  financial  services 
customers,  including  a  ban  on  the  transfer  of  information  to  third- 
party  telemarketers  and  a  clampdown  on  identity  theft,  the  bill 
that  left  this  committee  contained  a  provision  that  would  have 
walled  off  the  medical  records  held  by  an  insurance  company  from 
other  affiliates  of  a  financial  services  holding  company,  as  well  as 
non-affiliated  third  parties. 

H.R.  10  passed  the  House  with  the  strongest  privacy  protections 
ever  incorporated  into  banking  law,  importantly  including  the  med- 
ical privacy  provisions  that  originated  in  our  committee.  Later, 
however,  at  the  request  of  the  Administration  and  the  insistence  of 
the  Minority  party  on  the  floor  that  the  issue  be  addressed  through 
Executive  action  rather  than  legislation,  the  medical  privacy 
provisions  were  dropped  from  the  final  version  of  the  bill. 

Now  it  appears  a  consensus  is  developing  among  the  interested 
parties  in  the  Government  on  the  desirability  of  moving  forward 
with  a  legislative  approach  to  medical  privacy.  In  this  regard,  the 
language  of  H.R.  4585  is  consistent  with  the  medical  privacy  rec- 
ommendations forwarded  to  Congress  by  the  Treasury  Department 
six   weeks    ago    and    responds    to    the    concerns    outlined   by   the 

(1) 


President  in  his  April  30  speech  at  the  Eastern  Michigan  Univer- 
sity in  Ypsilanti.  And  in  an  important  disclosure  area  that  deals 
with  information  concerning  mental  health  or  conditions,  H.R.  4585 
goes  beyond  the  Administration's  recommendations. 

The  legislation  is  also  consistent  with  the  industry  accord  an- 
nounced last  week.  The  industry  is  to  be  complimented  for  agreeing 
to  voluntarily  provide  a  credible  degree  of  privacy  protection  of  the 
medical  records  of  their  customers.  Some  would  even  contend  that, 
because  of  this  voluntary  agreement  and  because  of  the  industries 
general  record  of  safeguarding  medical  records,  any  legislation  rep- 
resents a  solution  seeking  a  problem. 

Yet  the  background  of  legislative  concern  in  this  area  relates  less 
to  any  history  of  past  industry  abuse  or  of  new  financial  industry 
organization,  but  rather  to  the  implications  of  modern  information 
technology  as  it  relates  to  the  new  genetic  sciences.  So  much  more 
can  now  be  known  about  and  predicted  about  individuals  based 
upon  medical  testing  that  it  is  important  to  put  common  sense  re- 
straints in  place  before  temptingly  improper  industrial  practices 
begin. 

The  major  provisions  of  the  bill,  H.R.  4585,  which  is  the  principal 
subject  matter  of  the  hearing  are  as  follows: 

Financial  institutions  will  be  required  to  obtain  customer's  con- 
sent, or  opt-in,  before  disclosing  individually  identifiable  health  in- 
formation to  an  affiliate  or  non-affiliated  third  party. 

A  financial  institution  will  be  prohibited  from  obtaining  or  using 
individually  identifiable  health  information  in  deciding  whether  to 
issue  credit,  unless  the  prospective  borrower  expressly  consents. 

Information  relating  to  mental  health  or  mental  condition  will  be 
singled  out  for  particular  protection  with  separate  and  specific  cus- 
tomer consent  required  to  disclose  such  information  and  special 
policies  developed  by  regulators  to  protect  its  confidentiality. 

Consumers  will  be  given  the  right  to  inspect,  copy  and  correct  in- 
dividually identifiable  health  information  that  is  under  the  control 
of  a  financial  institution. 

Strict  limitation  will  be  placed  on  the  redisclosure  and  reuse  of 
individually  identifiable  health  information  legitimately  obtained 
by  a  financial  institution. 

And  nothing  will  be  done  to  modify,  limit  or  supersede  medical 
privacy  standards  promulgated  by  the  Secretary  of  Health  and 
Human  Services  pursuant  to  authority  granted  under  the  Health 
Insurance  Portability  and  Accountability  Act. 

The  approach  contemplated  in  H.R.  4585  is  designed  to  augment 
the  privacy  provisions  of  the  financial  modernization  bill  passed 
last  year.  Rules  to  implement  those  privacy  protections  are  in  the 
process  of  being  implemented  by  the  Executive  Branch,  and  I  be- 
lieve I  can  speak  for  all  Members  of  the  committee  in  encouraging 
that  regulators  should  move  expeditiously  so  all  Americans  can  be 
more  secure  in  the  privacy  of  their  financial  information. 

Before  hearing  today  from  the  Administration,  Government  offi- 
cials, industry  representatives  and  privacy  groups  on  their  perspec- 
tives, let  me  ask  Mr.  LaFalce  if  he  has  any  opening  comments. 

[The  prepared  statement  of  Hon.  James  A.  Leach  can  be  found 
on  page  66  in  the  appendix.] 


Mr.  LaFalce.  Mr.  Chairman,  I  do.  The  difficulty  is  I  think  we 
have  about  five  minutes  lefi:  to  vote,  and  I  don't  know  if  I  would 
be  able  to  get  my  five  minutes  in. 

Chairman  Leach.  The  gentleman  is  correct.  We  have  a  little 
more  than  that,  but  I  think  that  if  he  doesn't  want  to  be  inter- 
rupted it  would  be  better  to  move  to  the  vote.  I  think  that  is  very 
appropriate. 

Let  me  say  we  have  a  very,  very  long  set  of  panels,  and  we  have 
votes  expected  on  the  floor  actively  today,  and  so  it  will  be  my  in- 
tent to  limit  opening  statements  for  five  or  six  or  seven  more  min- 
utes and  then  turn  immediately  to  our  first  witness. 

The  hearing  then  will  be  in  recess  pending  the  vote. 

[Recess.] 

Chairman  Leach.  The  hearing  will  reconvene,  and  Mr.  LaFalce 
is  recognized. 

Mr.  LaFalce.  I  thank  the  Chairman. 

This  morning's  hearing  continues  our  committee's  work  on  finan- 
cial privacy  which  we  began  two  years  ago  when  Chairman  Leach 
introduced  legislation,  which  I  co-sponsored,  to  prohibit  pretext 
calling  and  other  privacy  abuses  and  I  introduced  a  related  bill  to 
impose  obligations  on  financial  institutions  to  protect  the  confiden- 
tiality of  customer  information.  I  am  very  pleased  to  say  that  both 
proposals  were  enacted  into  law  as  part  of  last  year's  financial 
modernization  legislation  in  much  the  same  form  as  they  were 
originally  introduced. 

This  year,  I  introduced  H.R.  4380,  a  comprehensive  proposal  de- 
veloped in  concert  with  the  Administration  to  address  financial  pri- 
vacy broadly.  I  think  it  is  an  excellent  bill.  H.R.  4584,  which  the 
Chairman  has  introduced,  addresses  one  of  the  issues  dealt  with  in 
H.R.  4380,  medical  privacy,  by  restricting  the  use  and  disclosure  of 
financial  institutions  of  personally  identifiable  health  and  medical 
information.  This  is  an  issue  not  included  in  the  legislation  adopted 
last  year,  and  not  adequately  addressed  in  pending  HHS  privacy 
regulations. 

Both  H.R.  4380  and  H.R.  4585  reflect  the  growing  bipartisan  rec- 
ognition that  the  privacy  protections  adopted  last  year  do  not  go  far 
enough  in  assuring  that  sensitive  personal  information  will  be  pro- 
tected by  financial  institutions  and  that  additional  protections 
must  be  enacted. 

The  issue  of  medical  financial  privacy  eluded  us  last  year.  Our 
committee  did  adopt  a  narrow  provision  to  restrict  the  use  of 
health  information  in  connection  with  credit  decisions.  That  was  re- 
placed by  a  broader  bipartisan  financial  privacy  proposal  on  the 
House  floor. 

The  Commerce  Committee  had  a  proposal  that  would  restrict  the 
disclosure  of  health-related  information  by  insurance  companies.  It 
was  referred  to  as  the  Ganske  Provision.  And  that  was  omitted  in 
conference  in  response  to  strong  bipartisan  concerns  that  it  might 
preempt  pending  HHS  privacy  regulations,  preempt  stronger  State 
medical  privacy  laws,  and  permit  widespread  sharing  of  sensitive 
health  data  under  broad  exceptions  for  many  different  things.  So 
all  the  major  medical  and  hospital  associations,  all  the  patient  and 
consumer  groups  and  privacy  advocates  agreed  that  the  Ganske 


language  at  that  time  created  greater  potential  privacy  problems 
than  it  resolved.  And  so  both  H.R.  4585  and  H.R.  4380  have  meri- 
torious proposals  on  medical  privacy. 

In  many  respects,  H.R.  4585  is  comparable  to  the  medical  privacy 
provisions  of  H.R.  4380;  in  some  respects,  it  does  differ.  And  some 
of  those  respects  where  it  differs  I  have  some  difficulties,  but  I  am 
sure  those  difficulties  can  be  worked  out  in  probably  a  manager's 
amendment. 

But  the  primary  limitation  of  H.R.  4585  is  not  what  it  does.  It 
is  rather  what  it  doesn't  do.  It  applies  only  to  medical  and  health 
information,  which  we  must  do  and  is  extremely  important.  But  the 
higher  standard  of  protection  for  the  sharing  of  consumer  profiles 
and  lists  should  apply  to  all  sensitive  health  and  financial  informa- 
tion, and  the  new  protections  for  consumer  access  and  correction 
should  apply  to  all  sensitive  financial  information,  and  the  stronger 
standards  for  reuse  and  redisclosure  of  information  should  apply  to 
all  sensitive  financial  information  and  not  just  health  or  medical 
information. 

So,  in  short,  I  think  H.R.  4585  is  a  very  good  effort,  but  I  also 
think  we  need  to  do  more.  If  consumers  do  not  want  their  financial 
account  information  shared  with  affiliated  companies  without  their 
knowledge,  we  need  to  do  more.  If  consumers  object  to  having  their 
spending  habits  and  product  preferences — referred  to  as 
"profiling" — if  they  don't  want  these  habits  and  preferences  mon- 
itored and  sold  or  shared  for  marketing  purposes,  we  need  to  do 
more.  If  consumers  don't  want  health  and  insurance  information 
taken  into  consideration  for  investment  or  employment  decisions, 
we  need  to  do  more.  And  if  American  consumers  want  to  have  the 
same  privacy  rights  being  given  to  European  customers  of  United 
States  institutions,  we  need  to  do  more.  And  if  consumers  want  the 
right  to  determine  if  their  financial  records  are  accurate  and  up- 
to-date,  we  need  to  do  more. 

So  I  urge  today's  witnesses  not  to  confine  themselves  solely  to 
the  topic  of  the  very  important  and  necessary  need  of  medical  pri- 
vacy legislation  that  is  before  us,  but  I  personally  would  welcome 
any  comments  on  the  broader  aspects  of  the  Administration's  pri- 
vacy proposals  either  as  contained  in  H.R.  4380  or  any  other  pro- 
posals that  are  needed  to  assure  the  strongest  possible  privacy  pro- 
tections for  American  consumers. 

I  want  to  especially  thank  the  Chairman  for  accommodating  my 
request  for  witnesses  for  today's  hearing,  all  of  whom  will  be  on 
Panel  IV,  and  I  join  with  the  Chairman  in  welcoming  all  of  today's 
witnesses.  I  thank  the  Chair. 

[The  prepared  statement  of  Hon.  John  J.  LaFalce  can  be  found 
on  page  71  in  the  appendix.] 

Chairman  Leach.  Thank  you,  John. 

What  I  would  like  to  do  in  limiting  opening  statements  is  limit 
it  to  the  Chairman  and  Ranking  Member  of  the  subcommittee  of 
jurisdictions. 

Mrs.  ROUKEMA.  I  thank  you,  Mr.  Chairman.  I  will  be  brief  and 
have  the  full  text  of  my  opening  statement  in  the  record. 

I  would  just  make  a  couple  of  observations  here.  As  you  know, 
we  in  the  subcommittee  held  hearings  last  year  on  these  subjects, 
including  not  only  financial,  but  also  medical  privacy;  and,  as  you 


have  already  noted,  we  have  to  go  farther  than  what  was  in  the 
Gramm-Leach-Bliley  bill;  and  that  is  quite  appropriate. 

I  want  to  endorse  everything  you  have  previously  stated  on  that 
subject.  Clearly,  today  we  are  opening  up  the  door  and  continuing 
what  we  did  in  the  subcommittee  with  respect  to  exploring  medical 
privacy,  and  really  the  financial  and  medical  privacy  are  inter- 
related, and  we  have  to  come  to  terms  with  them.  Of  course,  we 
don't  have  the  rules  and  the  regulations  yet  evaluated.  It  is  too 
early  for  that.  But  we  hopefully  will  begin  to  evaluate  those  regu- 
latory rules  by  this  July,  or  certainly  September. 

I  am  questioning,  however,  what  the  status  is  and  the  scope  of 
the  medical  privacy  standards  that  were  being  developed  or  should 
be  developed  by  HHS  under  the  Health  Insurance  Portability  and 
Accountability  Act.  I  don't  think  that  they  have  been  clearly  enun- 
ciated. I  think  you  made  reference  to  that.  Perhaps  we  will  find  out 
something  more  today.  If  not  today,  then  I  certainly  would  expect 
to  make  a  formal  inquiry  with  them  for  a  complete  report. 

In  addition,  Mr.  Chairman,  I  also  want  to  say,  although  we  do 
have  the  American  Psychiatric  Association  here  today  and  at  least 
one  other  group  that  is  directly  involved — that  are  direct  health-re- 
lated organizations,  I  do  plan  to  inquire  with  at  least  the  American 
Medical  Association,  the  Health  Care  Leadership  Council,  and  the 
National  Alliance  for  the  Mentally  111  and  other  medical  groups,  be- 
cause I  think  it  is  absolutely  appropriate  for  us  to  have  those  who 
deal  on  a  daily  basis  with  medical  issues  in  the  immediate  world 
with  patients  to  have  more  input  into  our  deliberations  here.  So  I 
will  be  making  those  inquiries,  and  we  can  discuss  it  another  time 
whether  or  not  it  will  be  appropriate  to  make  that  a  formal  part 
of  our  report. 

Thank  you,  Mr.  Chairman. 

[The  prepared  statement  of  Hon.  Marge  Roukema  can  be  found 
on  page  77  in  the  appendix.] 

Chairman  Leach.  Thank  you,  Mrs.  Roukema. 

Mr.  Gensler,  please. 

STATEMENT  OF  HON.  GARY  GENSLER,  UNDER  SECRETARY 
FOR  DOMESTIC  FINANCE,  DEPARTMENT  OF  THE  TREASURY 

Mr.  Gensler.  Thank  you,  Mr.  Chairman,  Ranking  Member  La- 
Falce,  Members  of  the  committee.  Thank  you  for  having  me  here 
to  talk  about  this  critical  issue  of  privacy. 

I  am  also  honored  to  have  with  me  my  second  daughter.  Lee 
Gensler  is  right  behind  me.  I  know  that  Congressman  Capuano  last 
week,  when  I  did  this  with  my  other  daughter,  thought  it  might  be 
bordering  on,  as  he  said,  "child  abuse,"  but,  believe  it  or  not,  my 
second  daughter  also  wanted  to  come  and  see  how  Congress  works. 

Chairman  Leach.  On  behalf  of  the  committee,  we  give  a  special 
welcome  to  Ms.  Lee  Grensler. 

Ms.  Gensler,  if  you  would  like  to  sit  next  to  your  father,  you 
would  be  welcome  so  to  do.  If  you  are  like  my  family,  we  Imow  that 
the  rule  is  in  inverse  proportion  to  age.  Please,  Ms.  Gensler. 

Mr.  Gensler.  She  thanks  you. 

I  am  pleased  to  have  the  opportunity  to  talk  about  the  Chair- 
man's bill,  H.R.  4585,  and  privacy  in  general.  My  written  testimony 
that  I  hope  to  submit  for  the  record,  but  let  me  just  summarize — 


does  address  four  areas:  first,  the  need  for  privacy  protections  in 
the  financial  area;  second,  last  year's  advances  in  the  Financial 
Modernization  Act;  thirdly,  the  President's  comprehensive  Con- 
sumer Financial  Privacy  Act  initiative;  and  then,  fourthly,  medical 
privacy. 

If  I  may  just  summarize  briefly. 

Many  Americans  increasingly  feel  their  privacy  threatened  by 
those  with  whom  they  do  business,  particularly  when  it  comes  to 
privacy  around  their  financial  information.  We  are  in  the  midst  of 
extraordinary  changes  in  the  financial  industry.  These  changes  are 
brought  about,  we  think,  in  three  ways:  first,  integration  and  con- 
solidation, in  part  brought  on  by  the  Gramm-Leach-Bliley  Act,  but 
largely  brought  on  by  consumers  and  markets;  second,  advances  in 
technology — clear  and  dramatic  changes  in  technology;  and,  thirdly, 
the  explosion  of  the  use  of  electronic  payments  and  electronic  re- 
ceipts— where  transactions  can  be  measured  and  recorded. 

Last  year's  efforts  were  very  significant,  and  we  believe  the  Con- 
gress and  the  Administration  worked  together  in  a  bipartisan  way 
to  move  privacy  protections  forward  in  a  constructive  way  around 
notice  and  choice,  around  third-party  sharing,  and  about  important 
protections  beyond  that.  The  Administration  believes,  however, 
that  much  more  can  be  done  and  should  be  done  to  protect  finan- 
cial consumer  privacy. 

To  that  end,  the  President  announced  an  important  new  legisla- 
tive proposal  in  late  April  to  provide  Americans  more  fully  with  an 
effective  financial  privacy  act.  That  legislation  now  before  Congress 
is  H.R.  4380,  the  Consumer  Financial  Privacy  Act,  and  is  a  bal- 
anced, comprehensive  approach  to  financial  privacy,  providing  im- 
portant new  rights  and  protections  while  addressing  some  of  the 
shortcomings  in  last  year's  bill. 

A  central  Administration  principle  is  that  the  greater  the  sensi- 
tivity of  the  data  and  the  possible  harm  from  misuse,  the  greater 
should  be  the  level  of  privacy  protection;  and  the  Chairman,  I 
think,  recognizes  that  with  regard  to  the  medical  area.  The  Admin- 
istration's proposals,  therefore,  call  for  the  strongest  protections  in 
two  highly  sensitive  areas:  first,  the  sharing  of  medical  informa- 
tion, as,  again,  the  Chairman's  bill  also  recognizes;  and,  second,  the 
use  of  detailed  personal  spending  habits  information  about  an  indi- 
vidual consumer — the  entire  list  of  all  of  our  spending,  where  we 
spend  our  money,  how  we  spend  our  money,  a  whole  portrait  of  an 
individual. 

For  other  financial  information,  however,  the  Administration's 
proposal  would  give  consumers  the  opportunity  only  to  opt-out:  the 
first  two  opt-in,  but  other  areas  just  opt-out  before  a  financial  serv- 
ices firm  can  share  that  information  for  marketing  purposes.  This 
would,  in  essence,  extend  the  protections  of  last  year's  bill  to  affil- 
iate sharing. 

But,  importantly,  the  Administration  recognizes  that  there  is  a 
bulk  of  information  sharing,  a  shared  type  of  information  sharing, 
if  I  might  call  it  that,  that  provides  for  consumers  to  understand 
that  sharing,  but  not  have  a  choice  to  opt-out;  and  that  is  for  risk 
management,  that  is  for  fraud,  that  is  for  law  enforcement,  many 
of  the  provisions  this  Congress  wrestled  with  last  year.  The  Admin- 
istration suggests  adding  one  very  important  component  to  that — 


that  would  help  consumers  and  help  the  economy — which  is  related 
to  consolidated  statements  and  consolidated  call-in  centers  to  facili- 
tate, again,  the  consumers. 

We  are  pleased  so  many  Members  of  Congress  have  supported 
this  approach.  We  especially  thank  Ranking  Member  LaFalce,  who 
sponsored  this  approach,  and  led  this  with  many  Members  of  this 
committee. 

Let  me  now  just  turn  to,  more  specifically,  to  medical  privacy. 
We  are  deeply  committed  to  providing  consumers  control  and  rig- 
orous safeguards  with  regard  to  medical  privacy.  Under  the  terms 
of  the  HIPAA  law,  which  was  passed  by  Congress  in  1996,  and  the 
rules  under  them,  privacy  protections  apply  to  covered  entities,  and 
I  think  that  this  was  one  of  the  questions  raised  earlier.  Covered 
entities  are  only  health  providers,  health  plans,  and  health  clear- 
inghouses so,  thus,  includes  health  insurers.  They  do  not  cover  life 
insurers,  do  not  cover  property  and  casualty  insurers,  do  not  cover 
auto  insurers  and  many  disability  insurance  programs,  all  of 
which,  I  would  say,  are  now  financial  institutions  and  defined  as 
such  under  the  Financial  Modernization  Act  of  last  year. 

The  proposals  offered  last  year  addressed  some  of  the  issues,  but 
could  have  seriously  undermined  the  crucial  medical  privacy  initia- 
tives, such  as  preempting  the  HIPAA  roles  and  the  other  issues 
that  I  think  Congressman  LaFalce  outlined  in  his  opening  state- 
ment. 

HHS  is  right  now  in  the  midst  of  a  rule-writing  process.  They 
put  out  the  proposed  rules  last  fall,  and  the  President  committed 
in  his  State  of  the  Union  to  finish  these  rules  this  year.  They  are 
right  now  in  the  midst  of  rule  writing  and  have  received  many 
comments  on  those  critical,  important  rules.  But,  again,  those  rules 
would  not  be  able  to  cover  many  financial  institutions  such  as  life 
insurance  companies,  property  and  casualty,  disability  insurers,  be- 
cause of  the  nature  of  the  1996  Act. 

Mr.  Chairman,  by  convening  this  hearing  you  have  focused  atten- 
tion on  the  important  issues  surrounding  financial  privacy  and 
medical  privacy.  While  we  continue  to  believe  it  is  necessary  to 
seek  legislation  that  provides  comprehensive  privacy  protections, 
your  bill  offers  a  starting  point  for  consideration  of  the  issues  that 
will  be  very  important  and  truly  important  for  a  privacy  regime. 
Let  me  say  there  is  common  ground  between  your  bill  and  the  Ad- 
ministration's proposal  regarding  financial  privacy.  H.R.  4585  does 
differ  in  some  significant  respects,  and  I  would  like  to  just  high- 
light two  of  those  for  you  today. 

First,  the  scope  of  the  bill.  We  believe  that  financial  privacy  leg- 
islation should  address  the  full  range  of  financial  privacy  issues,  as 
the  Administration  proposal  does.  H.R.  4585,  while  sharing  many 
of  the  Administration's  views  on  medical  privacy,  is  in  contrast  to 
a  narrow  bill  that  does  not  address  issues  beyond  medical  privacy. 
Medical  privacy  within  the  financial  services  industry  is  vitally  im- 
portant as  only  one  aspect  we  believe  in  moving  forward. 

Second,  with  regard  to  the  bill  itself  on  medical  privacy,  in  one 
regard,  with  regard  to  receipt  and  use  provisions,  these  are  the  pro- 
visions that  will  prohibit,  unless  a  consumer  consents,  a  financial 
institution  to  receive  or  use  medical  information.  They  are  limited 
to  the  extension  of  credit  or  a  loan.  Thus,  the  Chairman's  bill  sug- 


8 

gests  that,  before  you  receive  or  use  medical  information  in  exten- 
sion of  credit  or  loan,  you  have  to  get  specific  opt-in  by  the  con- 
sumer. 

We  share  that  view,  but  we  believe  that  it  is  important  to  have 
that  receipt  or  use  limitation  broader  than  just  for  the  extension 
of  a  credit  or  a  loan.  If  a  financial  firm  is  giving  investment  advice, 
should  it  be  able  to  get  information  from  a  life  insurance  affiliate 
before  it  decides  on  the  investment  advice?  If  a  financial  firm  is 
providing  auto  insurance,  should  it  be  able  to  reach  to  the  insur- 
ance company  and  get  the  medical  information — or  even  if  it  is  pro- 
viding travel  services,  which,  by  the  way,  under  the  Financial  Mod- 
ernization Act,  includes  travel  agencies  as  part  of  financial  serv- 
ices? Before  giving  travel  services,  should  it  be  able  to  reach  next 
door  to  an  affiliate  to  get  medical  information?  We  think  that  the 
receipt  and  use  provisions  are  strong,  but  should  be  broadened  and 
should  apply  to  the  broad  set  of  financial  services  and  products. 

In  conclusion,  Mr.  Chairman,  we  thank  you  for  providing  this 
forum  to  discuss  this  critically  important  issue.  This  hearing  pro- 
vides a  starting  point  for  a  thorough  consideration  of  the  range  of 
privacy  issues  raised  by  changes  in  technology  and  our  financial 
markets.  This  is  truly  an  historic  opportunity  to  get  financial  pri- 
vacy right,  to  put  in  place  all  of  the  protections  that  American  citi- 
zens want  and  need. 

We  recognize  the  special  sensitivity  of  personal  medical  informa- 
tion, and  we  support  having  effective  laws  that  match  the  sensi- 
tivity of  that  data.  At  the  same  time,  we  should  also  address  the 
vital  issues  that  were  included  in  the  Consumer  Financial  Privacy 
Act.  We  think  to  do  otherwise  is  to  miss  out  on  an  opportunity  and 
that  we  can  work  together  and  address  these  issues.  We  look  for- 
ward to  working  with  you  and  thank  you  again. 

[The  prepared  statement  of  Hon.  Gary  Gensler  can  be  found  on 
page  78  in  the  appendix.] 

Chairman  Leach.  Well,  thank  you  very  much,  Secretary  Gensler, 
Thank  you  for  your  loyal  support. 

Ms.  Lee. 

Mrs.  Roukema. 

Mrs.  Roukema.  Mr.  Chairman,  you  caught  me  a  little  off  guard 
here.  I  expected  you  and  Mr.  LaFalce  to  first  be  speaking. 

Let  me  ask  this,  Mr.  Gensler.  You  state  that  the  President  has 
pledged  that  the  final  medical  privacy  regulations  will  be  issued 
this  year.  Pursuant  to  the  authority  of  HIPAA,  which  I  referenced, 
the  1996  law,  and  I  referenced  that  in  my  opening  statement,  but 
these  rules  would  apply  only  to  certain — as  I  understand  it,  only 
to  certain,  "covered  entities"  and  would  not  apply  to  most  financial 
institutions.  I  believe  in  your  opening  statement,  although  I  was  in- 
terrupted at  one  point,  necessarily  interrupted,  that  you  made  ref- 
erence to  the  question  of  not  being  included  in  terms  of  affiliation 
in  Gramm-Leach-Bliley,  but  maybe  you  could  amplify  that. 

But  the  point  is,  there  is  not  specificity  as  to  what  would  apply 
and  what  would  not  apply  to  the  financial  institutions,  but  I  am 
really  deeply  concerned,  because  they  are  integrated.  They  are  in 
some  ways  integrated.  Aside  from  that,  we  have  to  go  beyond  nec- 
essarily in  this  legislation,  but  what  can  be  done  has  not  yet  been 
done  under  existing  law.  So  could  you  amplify  please  with  more 


specificity  as  to  what  we  can  expect  and  how  you  recommend  we 
close  those  loopholes? 

Mr.  Gensler.  The  bill  that  was  passed  by  Congress  in  1996  pro- 
vided that  if  Congress  were  unable  to  pass  further  legislation  with- 
in a  three-year  period,  then  the  President  was  authorized  through 
HHS  to  put  in  place  these  regulations.  Those  were  proposed  last 
fall.  They  only  cover  health  providers,  health  care  plans  and  health 
clearinghouses.  That  is  what  the  bill  said.  And  thus  they  cover 
health  insurers,  but  not  life  insurers,  not  property  and  casualty 
like  auto  insurers  and  the  like.  So,  what  this  committee  has  before 
it  in  the  Chairman's  bill  and  in  the  Ranking  Member's  bill,  does 
cover  those  other  financial  entities. 

Mrs.  ROUKEMA.  I  believe  I  understand  that.  Those  are  the  cov- 
ered entities  that  you  were  defining. 

Mr.  Gensler.  Right.  Congress  defined  those  in  1996;  and,  thus, 
the  HHS  rules  are  unable  to  address  the  other  sharing  that  may 
go  on. 

Mrs.  RoUKEMA.  I  certainly  realize  that,  but  are  they  now  being 
instituted  or  are  they  still  in  the  comment  period? 

Mr.  Gensler.  They  have  closed  the  comment  period.  They  got, 
I  think,  literally  thousands  of  comments. 

Mrs.  Roukema.  But  they  are  not  instituted  as  yet? 

Mr.  Gensler.  The  final  rules  would  become  effective  later  this 
year  and  I  think  under  the  statute  had  two  years  for  implementa- 
tion. 

Mrs.  Roukema.  You  see  no  conflict  here  by  any  means  either 
under  regulatory  authority  or  with  the  affiliation  regulation  and 
the  law  where  this  legislation  will  certainly  close  those  loopholes 
in  a  defined  manner.  Yes? 

Mr.  Gensler.  I  think  both  the  Chairman  and  the  Ranking  Mem- 
ber's bill  recognizes  the  HIPAA  rules  and  has,  I  would  say,  sort  of 
a  safe  harbor  for  that,  and  this  is  additive,  thus,  I  think  that  is  ap- 
propriate in  both  of  these  bills. 

Mrs.  Roukema.  In  terms  of  additive,  you  don't  see  any  conflict 
coming  up  there  in  terms  of  a  legal  question  within  the  affiliation 
structure,  none  whatsoever? 

Mr.  Gensler.  I  don't  believe  so. 

Mrs.  Roukema.  I  thank  the  Treasury  Secretary. 

Mr.  Gensler.  Thank  you. 

Chairman  Leach.  Thank  you,  Mrs.  Roukema. 

Mr.  LaFalce. 

Mr.  LaFalce.  Thank  you  very  much. 

First  of  all,  Mr.  Gensler,  let  me  commend  you  on  the  outstanding 
job  you  have  been  doing  in  your  role  as  Assistant  Secretary  of  the 
Treasury  for  Domestic  Finance  and  for  the  fine  testimony  you  have 
given  us  today. 

As  I  understand  it,  having  worked  with  you  very  closely  in  the 
development  of  the  Administration's  broader,  more  comprehensive 
financial  privacy  package,  you  believe  that  the  bill  before  us  today, 
Mr.  Leach's  bill,  is  a  good  bill,  but  you  have  difficulty  with:  A,  its 
scope,  which  we  will  talk  about  later;  and  second,  with  certain  de- 
tails which  I  have  said  I  think  can  be  worked  out  and  perhaps  even 
by  a  manager's  amendment.  Let's  deal  with  those  details  first. 
Could  you  expand  upon  those  just  a  bit  more?  If  we  were  only  to 


10 

consider  the  bill  before  us,  forget  about  scope,  how  would  you  want 
it  improved? 

Mr.  Gensler.  I  think  we  have  made  some  very  good  progress  to- 
gether since  last  year's  debate  and  identified  a  new  way  to  address 
financial  medical  privacy,  and  it  is  in  the  receipt  or  use  of  that  in- 
formation. If  some  part  of  a  financial  institution  under  the  Chair- 
man's bill,  a  bank  in  extending  a  mortgage  or  in  extending  an  auto 
loan,  receives  or  uses  information  from  an  affiliate  or  a  third  party, 
in  fact,  it  can't  do  that  if  it  is  medical  information  unless  it  has 
specific  consent  from  the  consumer. 

We  applaud  that  provision.  We  think  that  is  right.  It  stops  the 
use  or  receipt  of  that  information.  Our  comment  is  that  we  think 
that  in  the  President's  bill  we  went  broader,  that  it  was  not  only 
in  the  extension  of  a  mortgage  or  an  auto  loan,  but  it  was  the  ex- 
tension of  other  financial  services.  And,  as  I  highlighted,  we  think 
that  whether  you  are  extending  investment  advice  or  extending  an 
auto  loan,  for  instance,  a  financial  institution  should  not  without 
the  consumer's  specific  consent  receive,  use  medical  information 
from  one  of  your  affiliates.  Again,  the  Chairman's  bill  did  include 
many  of  the  provisions  on  access,  on  reuse,  on  personal  spending 
habits  around  medical. 

Mr.  LaFalce.  I  haven't  had  a  dialogue  with  the  Chairman  on 
this,  but  I  feel  confident  this  is  something  we  could  come  to  closure 
on.  What  I  am  concerned  about  is  that  we  not  lose  sight  of  the  fact 
that  there  are  broader  issues,  too,  which  we  have  attempted  to  ad- 
dress in  a  broader  bill.  I  made  a  statement,  and  I  would  ask  you 
to  comment  on  them  seriatim.  If  consumers  don't  want  their  finan- 
cial account  information  shared  with  affiliated  companies  without 
their  knowledge,  would  we  need  to  do  more  than  H.R.  4580? 

Mr.  Gensler.  We  think  that  we  should  not  stop  at  medical.  We 
think  that  there  are  broader  issues,  particularly  around  personal 
spending  habits,  that  are  enhanced  and  have  a  heightened  level  of 
sensitivity  that  ought  to  be  included,  and  the  i^erican  people 
want  included,  in  their  zone  of  privacy. 

Mr.  LaFalce.  If  we  want  to  stop  profiling,  would  we  need  to  do 
more  than  H.R.  4580? 

Mr.  Gensler.  Yes,  we  would. 

Mr.  LaFalce.  If  we  want  to  give  American  consumers  the  same 
privacy  rights  that  European  consumers  of  United  States  financial 
institutions  have,  wouldn't  we  have  to  go  further? 

Mr.  Gensler.  The  answer  is  yes,  particularly  as  it  relates  to  af- 
filiate sharing. 

Mr.  LaFalce.  Good.  I  just  wanted  to  set  the  stage  that  I  don't 
think  that  we  should  arbitrarily — let  me  scratch  the  word  arbi- 
trarily— I  don't  think  we  should  prejudge  the  legislative  approach 
we  should  take  to  our  problems.  I  think  we  ought  to  hear  what  the 
scope  of  the  problems  are  and  then  come  in  with  legislation  to  ad- 
dress it,  rather  than  just  start  out  with  something  narrow. 

I  don't  want  to  turn  down  something  that  deals  in  a  good  manner 
with  one  piece  of  the  problem.  By  the  same  token,  I  don't  want  to 
make  a  prejudgment  that  we  can  only  deal  with  one  piece  of  the 
problem.  I  prefer  to  go  for  a  larger,  more  comprehensive  approach. 
I  thank  you. 

Chairman  Leach.  Thank  you,  John. 


11 

Mr.  Bereuter. 

Mr.  Bereuter.  Thank  you  very  much,  Mr.  Chairman. 

Secretary  Gensler,  one  of  the  exceptions  to  the  opt-out  provisions 
of  the  Gramm-Leach-Bliley  Act  authorized  disclosure  of  ir^ormation 
by  insurance  companies  to  State  guaranty  funds.  Neither  the  Ad- 
ministration's bill  nor  H.R.  4585  extends  the  State  guaranty  fund 
exception  to  the  opt-in  provisions  applicable  to  disclosure  of  the 
health  information.  Several  of  the  industry  witnesses  bring  up  this 
point  or  will  bring  it  up  before  the  committee  later  in  at  least  their 
written  testimony.  What  is  the  Administration's  rationale  in  omit- 
ting the  State  guaranty  fund  exception  from  the  medical  privacy 
opt-in  proposal? 

May  I  ask  a  second  question,  too?  It  relates  to  a  concern  among 
some  financial  institutions  of  a  significant  regulatory  burden  that 
could  be  imposed  when  they  have  only  a  one-time  transaction  with 
respect  to  a  person,  for  example,  wiring  money  by  Western  Union 
one  time  only. 

Would  you  care  to  respond  to  both  of  those  two  items? 

Mr.  Gensler.  Yes,  Congressman.  In  terms  of  the  State  guar- 
antee point,  what  was  not  clear  to  us  in  the  last  four  months  in 
developing  the  bill  was  why  there  might  be  a  need  for  individual 
medical  records  with  regard  to  that  exemption  that  you  rightly 
point  out  is  in  Gramm-Leach.  So  we  have  not  heard  a  specific  rea- 
son why  individual  medical  records  are  needed.  Again,  we  look  for- 
ward to  working  with  this  committee  if  there  is  something  that  we 
have  overlooked,  but  nothing  has  come  to  our  attention. 

In  terms  of  the  second  issue,  there  are  provisions  even  under  the 
Act  last  year  and  the  rules  that  are  now  put  in  place  in  terms  of 
one-time  transactions  to  really  lessen,  as  you  say,  burdens  or  less- 
en the  requirements  on  a  one-time  transaction.  Somebody  goes  up 
and  uses  an  ATM  machine,  and  it  is  not  their  bank's  ATM  ma- 
chine. We  took  a  lot  of  public  comment  on  that.  We  know  the  regu- 
lators modified  that  in  the  final  rule.  We  have  not  changed  that  in 
the  President's  bill  or  in  the  Chairman's  bill.  I  don't  think  we  have 
changed  that  aspect  moving  forward. 

Mr.  Bereuter.  Thank  you.  But  I  gather  you  are  willing  to  look 
at  possible  changes  in  that  area  if,  in  fact,  it  can  be  demonstrated. 

Mr.  Gensler.  We  look  forward  to  working  with  this  committee 
in  trying  to  move  a  product  forward  that  addresses  the  needs  of  the 
American  people. 

Mr.  Bereuter.  Thank  you.  We  will  see  if  there  is  a  case  that 
needs  to  be  made  and  then  make  it. 

Thank  you,  Mr.  Chairman. 

Chairman  Leach.  Thank  you,  Mr.  Bereuter. 

Mrs.  Maloney. 

Mrs.  Maloney.  Thank  you,  Mr.  Chairman.  I  request  that  my 
opening  comments  be  placed  in  the  record. 

Chairman  Leach.  Without  objection,  and  without  objection  any 
Member  who  wants  to  make  opening  comments. 

Mrs.  Maloney.  Thank  you,  Mr.  Gensler,  for  appearing  before  the 
committee  again  and  bringing  your  daughter  Lee. 

First,  I  want  to  thank  you  and  the  Administration  for  making 
consumer  privacy  one  of  your  highest  priorities.  I  know  that  this 
issue  is  critically  important  to  Secretary  Summers.  He  has  spoken 


12 

before  the  committee  on  it  and  to  the  Vice  President,  who  just 
spoke  out  last  week  on  this  issue. 

I  would  like  to  ask  you,  my  district  is  the  home  of  a  number  of 
large  institutions,  especially  hospitals,  and  could  you  comment  on 
your  interpretation  of  the  bill  as  it  relates  to  patient  service?  Could 
the  opt-in  provisions  prevent  medical  staff  from  having  the  most 
timely  access  to  information  that  they  may  need  for  emergency  pa- 
tients or  are  additional  exemptions  necessary? 

Mr.  Gensler.  I  think  it  is  a  very  critical  issue.  We  do  not  believe 
so. 

This  is  also  a  very  critical  issue  that  HHS  is  addressing  in  their 
medical  regulations  in  terms  of  sharing  of  information,  and  we 
know  they  have  gotten  comment  on  it.  But  we  don't  believe  so,  and 
it  certainly  would  not  be  the  intent  either  in  rule  or  in  law  that 
a  patient  in  an  emergency  room  setting  would  have  that  difficulty. 
It  is  the  intent,  though,  to  limit  information  sharing  in  the  ad- 
vancement of  a  financial  product — again,  investment  advice  or 
other  financial  products  where  there  is  not  that  emergency  situa- 
tion. 

Mrs.  Maloney.  I  certainly  support  the  Chairman's  bill,  but  I  am 
disappointed  that  it  only — and  that  we  are  considering  today  only 
the  area  that  it  addresses,  which  is  medical  privacy,  and  I  wish 
that  it  had  a  broader  scope,  particularly  the  broader  bill  that  Mr. 
LaFalce  has  put  forward  that  includes  really  the  Administration's 
policies  that  they  put  forward. 

I  am  concerned  that  U.S.  citizens  are  really  treated  differently 
than  many  of  our  trading  partners  in  our  global  economy,  specifi- 
cally in  Europe  where  they  have  much  stronger  consumer  privacy; 
and  given  that  much  of  the  opposition  to  consumer  privacy  protec- 
tion is  based  on  their  costs  and  operational  difficulty,  why  should 
U.S.  law  be  weaker  than  that  of  our  trading  partners? 

Mr.  Gensler.  Well,  this  Administration  stands  for  strong  con- 
sumer privacy  protections,  particularly  with  regard  to  financial  pri- 
vacy. I  think  that,  as  you  have  seen  in  the  Ranking  Member's  bill 
and  the  President's  full  support,  it  would  bring  us  to  those  stand- 
ards which  we  think  are  again  balanced,  whereby  industry  would 
have  a  base  of  information  they  could  share,  but  then  the  sensitive 
information  would  have  higher  standards  surrounding  them. 

Mrs.  Maloney.  I  certainly  hope  that  the  Chairman  will  have  a 
hearing  on  the  Administration's  proposal,  because  these  extended 
and  more  complete  consumer  protections  are  very,  very  important. 

I  have  spoken  to  many  industry  representatives  that  tell  me,  par- 
ticularly in  the  health  industry,  that  they  are  willing  to  go  forward 
and  provide  this  consumer  privacy  to  their  customers,  particularly 
on  medical  information,  and  why  is  legislation  necessary  if  compa- 
nies are  willing  to  take  these  voluntary  measures? 

Mr.  Gensler.  Well,  we  think,  as  the  Chairman  said  in  his  open- 
ing remarks,  that  this  is  important  in  moving  forward  not  only  to 
prevent  actions  even  if  they  are  not  rampant  today,  but  also  to  in- 
still confidence  in  our  financial  systems.  Something  fundamentally 
is  changing  around  commerce  today,  not  just  banking,  but  overall, 
and  it  is  the  internet,  and  it  is  electronic  commerce.  And  to  instill 
confidence  in  the  internet  and  instill  confidence  in  the  financial 
system,  we  think  that  fundamental  consumer  protection,  funda- 


13 

mental  privacy  rights,  actually  promotes  the  economy  by  building 
confidence.  So,  if  they  are  going  to  do  it  anyway,  instilling  it  in  law 
doesn't  take  anything  away,  but  it  builds  confidence. 

Mrs.  Maloney.  Actually,  as  we  speak,  the  e-commerce  bill  is  on 
the  floor  that  would  break  down  yet  another  barrier  for  signatures 
for  contracts,  which  is  a  very  important  bill  which  underscores  the 
point  that  you  are  making. 

Mr.  Gensler.  We  have  worked  successfully  with  this  Congress 
on  that  bill,  and  that  is  a  very  important  bill  to  move  forward  elec- 
tronic commerce.  But,  again,  that  bill  is  done  in  a  way  that  was 
sensitive  to  consumer  needs  to  build  the  confidence  in  this  new 
economy. 

Mrs.  Maloney.  My  time  has  expired.  Thank  you  very  much  for 
your  testimony. 

[The  prepared  statement  of  Hon.  Carolyn  B.  Maloney  can  be 
found  on  page  74  in  the  appendix.] 

Chairman  Leach.  Thank  you. 

Mrs.  Kelly. 

Mrs.  Kelly.  Thank  you,  Mr.  Chairman.  I  just  have  a  couple  of 
very  quick  questions  here. 

There  has  been  some  concern  expressed  that  the  provision  that 
we  have  here  threatens  to  impose  a  significant  regulatory  burden 
on  financial  institutions  that  have  to  respond.  I  wonder  how  the 
Administration  responds  to  those  concerns.  The  regulatory  burden 
on  the  financial  institutions  is  something  that  I  think  we  really 
need  to  think  about.  I  wonder  how  you  respond  to  that  concern? 

Mr.  Gensler.  I  think  that  the  bill  before  you  today  and  the 
President's  bill  build  on  the  provisions  in  the  Gramm-Leach-Bliley 
Act  so  they  are  meant  to  be  consistent  and  build  upon  that. 

But  there  are  two  areas  that  people  have  raised.  One,  they  have 
said  there  might  be  a  burden,  because  you  limit  information  in  the 
great  new  economy  that  we  have.  We  think  not  because  there  is  a 
base  of  information  that  can  be  shared  as  long  as  it  is  restricted 
to  reuse,  but  shared  for  risk  management,  fraud,  for  securitization; 
and  we  have  actually  added  a  provision  in  our  proposal  for  consoli- 
dated account  statements,  an  important  provision.  So  there  is  a 
base  that  provides  all  that  information. 

What  the  Administration  is  saying  is  to  market  to  an  individual 
that  we  should  provide  individuals  the  right  to  opt-out,  to  say  "I 
might  not  want  to  be  marketed  to,"  and  then  for  medical  and  for 
complete  profiles  of  an  individual  that  it  would  be  an  opt-in.  We 
think  that  those  limited  provisions  are  important,  actually,  to  pro- 
mote the  financial  industry. 

Mrs.  Kelly.  Your  testimony  just  now,  though,  didn't  include  the 
problems  with  one-time  transactions.  There  are  some  serious  prob- 
lems I  think  there  in  terms  of  the  regulatory  burden  that  will  be 
imposed  on  the  financial  institutions.  People  have  a  one-time  trans- 
action. I  think  that  needs  to  be  considered.  Do  you  think  the  Ad- 
ministration would  consider  possible  changes  to  address  something 
like  that? 

Mr.  Gensler.  You  are  right,  the  bill  and  the  testimony  actually 
do  not  take  up  the  issue.  It  is  precisely  consistent  with  what  Con- 
gress enacted  last  year;  and  in  that  regard,  the  rules  that  were  put 
in  place  had  less  of  a  responsibility  on  the  financial  institution  for 


14 

those  one-time  transactions  in  terms  of,  in  essence,  the  opt-out  for 
third-party  sharing  and  the  like.  I  believe  that  the  regulators  ad- 
dress that  in  their  final  rule.  I  am  not  aware  of  further  comments 
that  came  up. 

Mrs.  K^ELLY.  Would  the  Administration  be  open  to  a  change? 

Mr.  Gensler.  Well,  again,  we  look  forward  to  working  with  this 
committee,  moving  forward  on  getting  the  best  privacy  protections 
for  consumers,  but  also  those  that  are  balanced  and  work  for  the 
economy. 

Mrs.  Kelly.  Are  you  aware  of  any  specific  instances  or  is  the  Ad- 
ministration aware  of  any  specific  instances  where  banks  have  de- 
nied credit  based  on  medical  information  about  the  loan  applicant, 
whether  it  has  been  gotten  from  an  affiliate  or  from  a  non-affiliated 
third  party?  Do  you  know  of  any  instance  like  that? 

Mr.  Gensler.  While  I  am  not  familiar  with  them,  we  are  in  a 
world  that  is  really  new  in  terms  of  the  ability  to  have  databases 
and  to  bring  together  data  across  a  financial  institution  in  a  way 
that  it  is  important  to  put  these  protections  in,  as  I  think  the 
Chairman  had  said,  before  commercial  interests  take  over.  There 
is  a  temptation  there  that  is  really  there,  and  we  think  it  is  best 
to  address  this  now  and,  in  addition,  to  instill  the  confidence  in  the 
system  that  I  think  will  promote  the  banking  system  in  itself. 

Mrs.  Kelly.  If  I  understand  correctly,  you  are  talking  about  in- 
stilling confidence  by  drafting  a  law,  but  you  don't  have  any  spe- 
cific instances  that  you  can  talk  about  where  banks  have  denied 
credit  to  people  in  those  instances. 

Mr.  Gensler.  I  think,  with  all  respect,  we  see  no  reason  to  allow 
somebody  in  extending  a  mortgage  to  look  into  your  personal  med- 
ical history  unless  they  are  asking  that  of  all  those  applicants  of 
the  mortgage  and  unless  they  are  asking  your  permission.  We  can- 
not see  any  reason  why  that  should  be  allowed. 

Mrs.  Kelly.  I  don't  think  anybody  does,  except — anybody  wants 
that,  really,  but,  on  the  other  hand,  I  think  it  is  important  that  we 
not  draft  laws  and  pass  laws  when  there  is  not  a  need  for  a  law. 

Thank  you,  Mr.  Chairman. 

[The  prepared  statement  of  Hon.  Sue  W.  Kelly  can  be  found  on 
page  70  in  the  appendix.] 

Chairman  Leach.  Thank  you.  Sue. 

Mr.  Ackerman. 

Mr.  Bentsen. 

Mr.  Bentsen.  Thank  you,  Mr.  Chairman. 

Mr.  Gensler,  in  reading  your  testimony  as  it  relates  specifically 
to  the  health  information  issue,  would  the  Administration  be  sup- 
portive of  H.R.  4585  if  the  receipt  and  use  provisions  were  similar 
to  what  is  in  the  President's  bill,  including  the  requirement  that 
it  is  the  same  requirement  on  all  customers?  Is  that  your  main 
holdup  with  respect  to  the  health  issue? 

I  understand  that  you  want — that  the  Administration  believes 
that  the  Congress  ought  to  go  further  in  revisiting  the  entire  Title 
V  of  the  Gramm-Leach-Bliley  Act,  but  if  we  were  just  to  focus  on 
health,  which  was  effectively  carved  out  at  the  end  of  the  process 
last  year,  would  those  be  the  main  changes  you  would  be  looking 
at  for  H.R.  4585? 


15 

Mr.  Gensler.  You  are  correct  to  say  those  would  be  the  main 
changes  in  terms  of  the  health  provisions  of  H.R.  4585.  The  Admin- 
istration feels  that  it  is  important  to  move  forward  in  these  other 
areas,  that  to  share  all  of  the  ways  that  Congressman  Bentsen 
spends  his  money,  where  you  spend  it,  how  you  spend  it,  a  com- 
plete list  of  that,  to  be  able  to  share  that  without  your  affirmative 
consent  is  not  an  appropriate  standard.  So  we  feel  that  it  is  best 
to  be  comprehensive,  and  we  look  forward  to  working  with  this 
committee  and  the  Congress  to  achieve  that. 

Mr.  Bentsen.  I  understand  where  Mr.  LaFalce  wants  to  go  as 
well.  It  seems  to  me  that  a  very  strong  case  can  be  made  that,  with 
respect  to  health  information  or  medical  privacy,  that  we  did  not 
go  as  far  in  that  area  as  we  did  in  other  areas  of  financial  privacy 
in  the  Gramm-Leach-Bliley  Act  and  were  we  not  able  to  muster 
support  for  a  broader  bill,  would  it  not  be  appropriate  to  at  least 
plug  this  one  gap  in  the  medical  privacy?  I  realize  your  aide  is  pro- 
viding you  answers  there — ^but,  to  plug  this  one  gap  with  a  bill  like 
H.R.  4585,  would  the  Administration — I  know  you  don't  want  to 
give  up  the  whole  thing  yet,  but  don't  you  think  that  if  there  was 
one  thing  we  could  get  done  this  year,  isn't  this  an  area  where 
Gramm-Leach-Bliley  was  failing  in  medical  privacy  as  compared  to 
other  areas? 

Mr.  Gensler.  We  share  this  committee's  view  that  that  is  a  gap. 
It  is  a  gap  I  think  in  part  created  because  we  have  a  new  situation 
where  insurance  companies  can  affiliate  with  banks.  Before  the 
Gramm-Leach  bill,  that  was  not  legally  permissible.  But,  I  would 
say.  Congressman,  I  still  feel  strongly  that  we  should  address  these 
other  issues,  that  it  is  important.  Some  issues  that  actually  benefit 
industry — for  example,  to  allow  for  consolidated  calling  centers — we 
think  very  importantly  also  benefit  consumers,  not  only  through 
getting  greater  services — like  consolidated  call-in  centers  would 
give  greater  services — ^but  also  in  terms  of  giving  greater  confidence 
and  protection  around  the  sharing  of  the  specially  sensitive  infor- 
mation. 

Mr.  Bentsen.  H.R.  4585,  as  the  Administration  reads  it,  would 
enforcement  of  this  be  in  the  same  way  as  the  other  financial  pri- 
vacy parts  of  Gramm-Leach-Bliley  are?  And  the  Chairman  has 
pointed  out  that  it  would  not  preempt  or  supersede  the  HHS's  role 
under  the  HIPAA  law.  Does  the  Administration  agree  with  that  in- 
terpretation? Do  you  believe  in  any  way  this  would  preempt  the 
Secretary  of  HHS  or  HHS  or  the  HIPAA  law?  Are  you  comfortable 
with  how  that  section  is  drafted? 

Mr.  Gensler.  Let  me  make  sure.  I  think  the  answer  to  both 
parts  of  your  question  are  yes,  that  the  Chairman's  language  and 
the  language  in  H.R.  4380  do  not  supersede  HIPAA  or  HHS,  as  we 
can  see,  in  any  way. 

Mr.  Bentsen.  Finally,  does  this  bill — and  the  Chairman  may  an- 
swer this.  But  does  this  bill  or  does  your  bill  preempt  State  law  or 
does  it  follow  along  the  same  track  that  Gramm-Leach-Bliley  did 
that  gave  the  States  the  predominant  role  in  setting  privacy  stand- 
ards? 

Mr.  Gensler.  It  sort  of  adds  to  Gramm-Leach-Bliley,  and  so  you 
are  familiar  with  those  provisions.  In  these  bills  there  is  no  state- 


16 

ment  on  preemption,  thus  leaving  in  place  the  regime  that  we  have 
prior  to  these  bills. 

Mr.  Bentsen.  Thank  you. 

Thank  you,  Mr.  Chairman. 

Chairman  Leach.  Mr.  Lucas. 

Mrs.  Biggert. 

Mrs.  Biggert.  Thank  you,  Mr.  Chairman. 

Mr.  Gensler,  with  this  bill  and  concerning  Worker's  Compensa- 
tion and  automobile  insurance,  both  of  which  deal  with,  number 
one,  timely  access  to  health  or  medical  records,  timely  receipt  of 
that,  do  you  think  this  would  cause  delay  in  obtaining  the  relevant 
health  data  needed  by  worker's  comp  to  proceed  with  claims  and 
in  the  auto  insurance,  which  also  deals  with  indemnifying  con- 
sumers from  medical  losses?  I  see  a  delay  perhaps  in  worker's  comp 
cases.  What  if  the  consumer  actually  refused  to  opt-in  to  provide 
their  medical  records  in  a  case  which  questions  their  claim? 

Mr.  Gensler.  We  don't  believe  that  it  would  delay.  But,  also,  if 
in  any  way  when  we  think  through  this  together  that  would  be  an 
issue,  we  would  look  at  what  technical  issues  needed  to  be  added. 
We  don't  think  so. 

And  I  would  add,  because  it  allows  for  specific  opt-in  product-by- 
product, you  could  put  a  specific  opt-in  exception  in  cases  that  are 
necessary  around  providing  the  medical  services  or  Worker's  Com- 
pensation and  the  like,  if  it  was  medical  services  or  disability. 

Mrs.  Biggert.  That  would  apply  then  to  maybe  auto  insurance? 

Mr.  Gensler.  It  could;  but,  again,  we  don't  think  that  either  bill 
limits  the  timely  payments  under  auto  insurance.  Because,  again, 
if  you  have  an  accident,  that  is  the  time  you  share  the  medical  in- 
formation. 

Mrs.  Biggert.  And  then  as  far  as  the  provisions  for  opting  in 
and  Gramm-Leach  has  the  opt-out,  is  this  going  to  be  confusing  for 
when  you  opt-in,  you  opt-out?  Is  this  something  that  we  need  to 
deal  with? 

Mr.  Gensler.  We  don't  think  so.  There  are  many  provisions  al- 
ready in  law  that  are  opt-in — video  rental,  under  the  Federal  Pri- 
vacy Act,  certain  provisions  under  FCRA — the  Fair  Credit  Report- 
ing Act — in  terms  of  sharing  your  credit  report  with  employers  and 
the  like.  So  there  are  standards  this  Congress  has  put  in  place  that 
are  opt-ins  where  there  is  especially  sensitive  information.  Even 
under  HIPAA  it  is  effectively  a  consent  or  opt-in  for  health  and 
medical  information  under  HIPAA,  but,  unfortunately,  it  only  ap- 
plies to  health  insurers  and  not  other  insurers. 

Mrs.  Biggert.  A  U.S.  Supreme  Court  refused  to  hear  an  appeal 
by  a  Federal  Appeals  Court  ruling  in  Colorado  that  struck  down  as 
unconstitutional  regulations  promulgated  by  the  FCC  that  re- 
stricted intracarrier  sharing  of  certain  customer  information,  and 
what  they  looked  at  specifically  was  the  opt-in  provisions,  which 
seemed  to  be  somewhat  similar  to  this  bill  and  the  Administration 
proposals.  Have  you  looked  at  that  case? 

Mr.  Gensler.  I  haven't  personally.  Let  me  just  ask.  I  think  I  am 
going  to  get  an  expert  answer. 

Let  me  just  say,  we  have  been  working  with  the  Department  of 
Justice  around  all  the  Administration  privacy  proposals  and  fo- 
cused on  the  10th  Circuit  opinion,  and  believe  that  the  Administra- 


17 

tion's  bill  in  terms  of  its  opt-in  provisions,  and  I  think  this  would 
also  count  for  the  Chairman's  bill,  but  I  don't  know  that  DO  J  has 
had  the  same  amount  of  time,  are  constitutional,  even  in  light  of 
the  10th  Circuit  opinion. 

Mrs.  BiGGERT.  Thank  you. 

Thank  you,  Mr.  Chairman. 

Chairman  Leach.  Thank  you,  Mrs.  Biggert. 

Mr.  Ackerman. 

Mr.  Ackerman.  Thank  you  very  much,  Mr.  Chairman.  I  did  have 
a  question,  Mr.  Secretary.  On  a  previous  question,  did  I  understand 
you  to  say  that  you  would  be  supportive  of  an  exemption  for  one- 
time transactions  as  it  might  be  burdensome. 

Mr.  Gensler.  I  think  what  I  said,  in  terms  of  the  regulations 
under  last  year's  law,  we  think  they  put  in  place  a  different  set  of 
obligations  on  those  one-time  transactions.  We  think  they  were  ef- 
fective. We  are  not  aware  of  comments  that  have  come  in  subse- 
quent to  that  final  rule.  What  I  also  said  is  we  look  forward  to 
working  with  this  committee  on  broad  comprehensive  privacy  and 
moving  broad  comprehensive  privacy  forward  related  to  financial 
privacy.  If  there  is  a  specific  issue,  then  it  would  be  rightly  taken 
up  in  that  comprehensive  bill.  And  we  would  be  open  to  looking  at 
appropriate  issues  to  help  protect  consumers,  but  also  to  foster 
commerce. 

Mr.  Ackerman.  In  your  view,  would  somebody  undergoing  a 
medical  examination  as  a  prospective  insured  under  health  insur- 
ance, would  that  be  considered  a  one-time  transaction?  Well,  as  we 
don't  have  right  now  in  place  a  medical  financial  privacy  law,  it  is 
more  in  the  prospective  I  think  that  you  would  probably  be  asking 
it,  but  in  terms  of  the  Administration's  approach,  if  you  are  con- 
ducting an  exam  for  life  insurance  that  is  specific  to  that  product, 
and  if  the  life  insurer  is  asking  it  of  all  customers  under  the  Presi- 
dent's proposal,  as  long  as  it  is  asked  of  all  customers  and  you  are 
consenting  to  it,  you  are  having  the  physical,  so  you  are  personally 
consenting  to  it,  then  that  moves  forward. 

What  we  are  trying  to  protect  is  that  that  health  information  is 
not  then  used  by  some  affiliate  for  some  other  financial  product,  a 
separate  financial  product. 

Mr.  Ackerman.  What  about  for  the  same  financial  product?  To 
give  you  a  specific  example  of  that,  that  would  be  of  assistance  to 
you  in  thinking  this  through,  a  person  goes  for  a  medical  exam  for 
life  insurance  and  they  make  a  determination  that  the  person  test- 
ed positive  for  HIV.  And  they  decide  not  to  insure  the  person  and 
they  decide  not  to  disclose  it  to  the  person  who  was  tested,  and 
they  decide  to  post  it  using  a  secret  code  on  the  internet  made 
available  to  insurance  companies  so  that  every  other  insurance 
company  who  belonged  to  the  association,  knowing  the  code  will 
understand  that  this  person  tested  positive  and  would  therefore  be 
warned  not  to  issue  insurance.  Would  you  be  in  favor  of  that  one- 
time exclusion  under  those  circumstances? 

Mr.  Gensler.  Absolutely  not,  sir.  Absolutely  not.  The  only  thing 
that,  trying  to  highlight,  I  think,  in  your  earlier  question,  is  that 
nothing  in  these  bills  would  prohibit  a  life  insurance  company  from 
requesting  that  you  have  a  physical  exam  for  that  product  provided 
by  that  life  insurer.  But  that  life  insurer  should  not,  and  I  think 


18 

Americans  would  all  agree,  be  able  to  share  that  information  with 
others  or  post  it  on  the  internet. 

Mr.  ACKERMAN.  Not  every  insurance  company  agrees  with  that. 

Thank  you,  Mr.  Chairman, 

Chairman  Leach.  Thank  you,  Mr.  Ackerman. 

Mr.  Terry,  did  you  seek  recognition? 

Mr.  Terry.  No. 

Chairman  Leach.  Ms.  Hooley. 

Ms.  Hooley.  Thank  you,  Mr.  Chairman.  Thank  you,  Mr, 
Gensler.  Thank  you  for  bringing  your  daughter,  I  think  that  is 
great. 

Mr.  Gensler.  Thank  you. 

Ms.  Hooley.  Most  of  my  questions  have  been  asked,  but  there 
are  still  a  couple  I  have.  Do  we  need  any  special  provisions  or  any- 
thing different  that  deals  with  mental  health?  Do  you  put  that  in 
the  same  category  as  all  other  health? 

Mr.  Gensler.  Well,  the  Chairman's  bill  actually  has  a  specific 
provision  with  regard  to  mental  health,  and  it  was  an  enhance- 
ment, in  fact,  in  the  President's  bill  to  have  a  specific  consent  with 
regard  to  mental  health,  and  we  think  it  probably  is  appropriate 
to  have  an  additional  protection  in  a  separate  category,  and  we 
look  forward  to  working  with  this  committee  if  there  are  other  en- 
hancements in  that  specific  field. 

Ms.  Hooley.  Another  question  is,  tell  me  one  more  time  what  is 
the  difference  in  this  bill  that  enhances  that  privacy  regulation 
over  what  the  Secretary  of  Health  and  Human  Services  has  come 
up  with? 

Mr,  Gensler,  The  Secretary  of  Health  and  Human  Services  has 
limited  authority,  limited  because  the  1996  law  that  people  are  re- 
ferring to  as  HIPAA  only  related  to  "covered  entities" — health  pro- 
viders, health  plans,  and  health  clearinghouses.  Life  insurers  are 
not  a  covered  entity.  Disability  insurers  are  not  a  covered  entity. 
Auto  insurers,  property  and  casualty  are  all  non-covered  entities. 
Banks,  by  the  way,  are  not  covered  entities.  So  she's  moving  for- 
ward and  the  President  is  moving  forward  the  best  they  can,  but 
it  is  within  that  law. 

Ms.  Hooley.  Then  lastly,  I  know  your  bill  is  looking  at  how  do 
we  protect  consumers.  Have  you  done  any  looking  at  what  it  costs 
financial  institutions  to  implement  these  proposals? 

Mr.  Gensler.  Well,  I  know  that  the  regulators  did  some  on  the 
Gramm-Leach  provisions,  but  in  terms  of  moving  this  bill  forward, 
it  again  just  builds  on  the  basis  of  the  Gramm-Leach  provisions  for 
notice  and  choice,  and  importantly,  a  choice  with  regard  to  medical 
in  the  Chairman's  bill.  But  we  have  tried,  I  think,  in  both  bills,  to 
just  build  upon  the  same  regimes  and  the  same  methodologies  that 
I  say  went  through  public  comment,  I  think  there  were  2,600  com- 
ments that  came  in  on  the  earlier  provisions,  most  of  which  were 
constructively  addressed, 

Ms,  Hooley,  Thank  you  very  much. 

Thank  you,  Mr,  Chairman, 

Chairman  Leach.  Thank  you. 

Ms.  Carson,  did  you  wish  to  be  recognized? 

Ms.  Carson.  Not  right  now.  Thank  you. 

Chairman  Leach.  Mr.  Inslee, 


19 

Mr.  Inslee.  Thank  you,  Mr.  Chairman.  I  want  to  thank  the 
Chair  for  following  through  on  this  important  issue.  I  know  the 
Chair  feels  strongly  about  closing  this  massive  loophole  and  getting 
this  resolved.  I  am  very  hopeful  that  we  will  do  that  this  year,  and 
the  other  Chamber  will  follow  our  lead.  I  appreciate  the  Chair's  ad- 
vancing this  at  this  time.  But  I  think  it  is  very  important  to  note 
that  I  feel  that  our  job,  even  if  we  resolve  this  issue,  and  I  am  con- 
fident we  will,  at  least  in  this  committee,  that  there  are  really  mas- 
sive imperfections  in  the  Gramm-Leach  bill  that  we  ought  to  ad- 
dress this  month,  and  to  date,  we  have  not  had  any  encouraging 
signs  that  we  will  have  hearings  either  in  full  committee  or  sub- 
committee on  closing  the  affiliate  sharing  loophole,  and  that  causes 
me  great  concern,  because  I  can  tell  you  that  since  we  last  ad- 
dressed the  issue  of  privacy  in  this  committee,  this  issue  has  taken 
off  like  a  rocket  in  America. 

We  had  the  first  sort  of  inkling  of  that  last  fall  when  I  first 
brought  an  amendment  in  Gramm-Leach-Bliley  to  address  this 
whole  privacy  issue,  and  I  think  all  of  us  Members  of  Congress 
since  then  have  learned  that  there  is  probably  no  issue  in  America 
today  that  is  growing  in  people's  anxiety  levels  than  the  loss  of  pri- 
vacy in  this  country.  I  think  since  we  passed  the  Gramm-Leach 
bill,  that  has  continued  to  grow  exponentially.  You  can't  pass  a 
magazine  stand  without  reading  or  pick  up  a  newspaper  today,  and 
I  can  echo  those  comments  that  are  on  Main  Street. 

So  the  question  comes,  when  are  we  going  to  address  this  affil- 
iate sharing  issue  and  when  will  this  committee  have  hearings  to 
do  that?  I  suppose  we  could  wait  until  the  next  Congress  to  address 
that  if  we  felt  we  didn't  have  enough  information  to  know  whether 
there  is  a  problem  today.  But  I  have  to  ask  this  question:  Do  we 
have  to  wait  till  the  next  Congress  to  figure  out  that  companies  are 
going  to  share  private  personal  financial  information  against  our 
interests,  against  our  specific  directions  with  their  various  affiliates 
under  Gramm-Leach?  We  do  not  have  to  wait  till  the  next  Congress 
to  know  that  that  is  going  to  happen  as  soon  as  it  is  legally  permis- 
sible. 

Second,  do  we  have  to  wait  that  when  our  constituents  find  out 
that  that  is  going  on,  that  they  are  going  to  be  outraged?  Do  we 
have  to  wait  till  the  next  Congress  to  figure  that  out?  I  suggest  we 
do  not  have  to  wait  to  know  that  Americans  are  going  to  be  out- 
raged about  these  telemarketing  gambits  that  are  going  on,  sharing 
their  personal  private  information.  We  don't  have  to  wait  till  the 
next  Congress  to  figure  that  out. 

Lastly,  do  we  have  to  figure  out  in  the  next  Congress  how  to  deal 
with  this  issue?  I  don't  think  there  is  any  reason  we  are  going  to 
learn  something  between  now  and  the  next  Congress.  So  I  feel  very 
strongly  that  tWs  committee  ought  to  have  hearings,  this  Congress, 
on  the  affiliate  sharing  issue  and  the  issue  of  opt-in/opt-out,  which 
remains  in  contention.  The  Chair  has  shown  leadership  in  bringing 
this  to  this  committee,  and  I  am  just  hopeful  that  we  will  have  an 
opportunity  to  further  address  this  affiliate  sharing  issue  in  Con- 
gress. 

Having  said  that,  Mr.  G«nsler,  my  soap  box,  I  would  just  ask  if 
there  is  anything  you  would  like  to  add  on  the  timing  of  this  dis- 
cussion? 


20 

Mr.  Gensler.  Congressman  Inslee,  we  applaud  your  leadership 
on  this  issue.  It  was  very  good  to  work  with  you  on  the  digital  sig- 
nature bill  as  well,  which  is  such  an  important  issue  for  this  Na- 
tion. 

We  share  your  views.  We  think  that  there  is  no  time  to  address 
this  issue  like  now.  This  is  all  going  one  way,  it  seems.  One  of  my 
colleagues  earlier  today  said  that  Congress  is  conducting  five  dif- 
ferent hearings,  that  the  Administration  is  talking  about  privacy  in 
one  realm  or  another  this  week.  It  just  gives  a  sense  of  the  potency 
of  this  to  the  American  people.  I  think  that  we  have  had  a  thought- 
ful balanced  approach  about  affiliate  sharing.  We  come  out  on  the 
side  of  the  debate.  The  Administration  comes  out,  as  you  do,  that 
there  should  be  some  choice;  that  regarding  notice  and  choice, 
there  is  no  distinction  between  affiliates  and  third  parties,  and  that 
the  one  issue  that  industry  has  raised — and  we  have  dealt  with,  is 
consolidated  call-in  centers  and  consolidated  statements.  They  al- 
ready had  what  is  known  as  the  502  E  exceptions  in  the  Gramm- 
Leach  bill,  which  is  a  series  of  eight  important  exceptions,  and  it 
is  time  to  move  on. 

And  I  think  we  believe  that  credit  card  companies  should  not  be 
able  to  share  a  complete  list  of  how  you  spend  your  money,  where 
you  spend  the  money.  In  essence,  a  total  portrait  of  you  as  an  indi- 
vidual, without  you  having  the  right  to  say  'Tes,  you  can  share 
that  and  tell  somebody  the  complete  search  and  the  complete  por- 
trait on  Congressman  Inslee." 

Mr.  Inslee.  That  perhaps  could  be  some  interesting  reading,  I 
suppose. 

Thank  you,  Mr.  Gensler.  Thank  you,  Mr.  Chairman,  for  bringing 
this  to  our  attention.  I  am  just  hopeful  that  the  Chair  can  see  to 
allow  this  committee  to  address  this  issue  and  not  have  to  wait  for 
new  Members  of  Congress.  I  think  there  will  be  some  new  Mem- 
bers of  Congress  here  perhaps  because  of  this  issue,  but  we 
shouldn't  have  to  wait  for  them,  and  we  ought  to,  on  a  bipartisan 
basis,  move  forward  in  this  regard.  Thank  you. 

Chairman  Leach.  The  Chair  would  like  to  thank  the  gentleman 
for  his  advice  and  the  Secretary  as  well.  I  would  also  like  to  thank 
both  the  gentleman  and  the  Secretary  for  switching  to  the  Chair's 
position,  and  now  supporting  in  a  more  timely  basis,  the  medical 
privacy  issue.  I  am  glad,  having  sought  delay  on  that  issue  last 
year,  you  are  now  in  favor  of  moving  forthrightly  at  this  time. 

Mr.  Moore. 

Mr.  Moore.  Mr.  Chairman,  I  don't  have  any  further  questions  of 
Mr.  Grensler.  I  do  appreciate  your  work  in  this  area,  and  I  am  hope- 
ful that  we  can,  as  Mr.  Inslee  pointed  out,  expand  it  at  some  point 
beyond  just  medical  privacy  and  financial  privacy,  but  internet  pri- 
vacy and  a  lot  of  other  issues  that  are  of  great  concern,  I  think, 
to  the  American  people.  Thank  you. 

Chairman  Leach.  Mr.  Gonzalez. 

Mr.  Gonzalez.  Thank  you  very  much. 

Quickly  a  couple  of  questions.  As  you  have  indicated,  one's  med- 
ical records,  medical  information  and  personal  spending  habits,  in- 
formation profiles,  would  be  two  categories  of  information  that 
would  rise  to  the  level  of  this  special  zone  of  privacy.  I  think  that 
may  be  the  term  which  really  equates  to  opt-in.  That  is  the  distinc- 


21 

tion  in  mind,  anyway.  I  am  wondering  what  other  type  of  informa- 
tion, in  your  opinion,  would  rise  again  to  the  level  which  would 
place  it  in  this  special  "zone  of  privacy?" 

Mr.  Gensler.  The  two  areas  I  think  you  highlighted  were  those 
two  areas,  medical  information,  and  then  the  complete  portrait,  the 
complete  spending  habits.  Those  were  the  only  two  that  we  thought 
would  be  at  that  enhanced  level,  and  in  essence,  the  burden  would 
be  on  the  provider  of  services  to  get  your  consent.  Another  area — 
just  marketing — the  burden,  in  essence,  would  be  on  the  consumer 
to  fill  out  the  form  and  send  it  back  in,  but  we  thought  that  that 
is  less  sensitive  information,  and  thus  the  burden,  more  appro- 
priately, is  on  the  consumer. 

Mr.  Gonzalez.  In  all  your  discussions,  though,  nothing  else  has 
entered  those  discussions  that,  again,  make  it  this  type  of  treat- 
ment on  the  opt-in  standard. 

Mr.  Gensler.  That  is  correct.  As  I  noted  earlier.  Congress  has 
had  opt-in  for  other  provisions,  whether  it  is  in  the  Telecommuni- 
cations Act  or  video  rentals  and  other  areas  that  Congress  has  seen 
that  as  an  appropriate  means  of  protecting  a  zone  of  privacy. 

Mr.  Gonzalez.  The  second  question  relates  to  the  HHS  stand- 
ards which  would  apply  to  health  plans,  health  care  clearinghouses 
and  certain  health  care  providers,  as  you  pointed  out.  Then  we 
have  this  bill  here,  H.R.  4585,  that  would  encompass  financial  in- 
stitutions. Who  have  we  left  out? 

Mr.  Gensler.  I  am  not  quick  enough  to  think,  but  in  terms  of 
medical — this  addresses  financial  institutions.  I  am  sure  there  are 
some  institutions  that  are  neither  financial  nor  health  care  pro- 
viders. 

Mr.  Gonzalez.  That  is  my  point.  I  guess  this  bill  is  going  to  con- 
tinue the  piecemeal  approach  to  privacy  legislation.  I  understand 
we  approach  privacy  many  times  in  many  ways,  and  maybe  the 
final  outcome  is  we  will  have  one  bill  that  maybe  can  address  all 
the  different  activities.  The  reason,  obviously,  is  that  you  have  cer- 
tain entities  that  may  have  shared  activities,  for  instance,  that 
would  subject  them  to  one  set  of  rules,  and  possibly  another  set  of 
rules,  thus  creating  confusion.  That  is  why  I  was  just  asking  you, 
is  there  anj^hing  that  you  see  now  that  needs  to  be  addressed  dif- 
ferently in  this  bill?  Should  some  other  enterprise,  some  other  ac- 
tivity, some  other  business,  be  included  or  deleted? 

Mr.  Gensler.  The  President  has  laid  out  and  the  Administration 
has  felt  strongly  that  there  are  three  areas  broadly  that  are  appro- 
priate to  address  statutorily  and  that  is  medical,  financial,  and 
children's  online.  Those  are  the  three  broad  areas  that  he  and  the 
Vice  President  have  laid  out  a  number  of  times,  and  the  Adminis- 
tration has  moved  forward  and  worked  successfully  with  the  Con- 
gress on  the  Children's  Online  Privacy  Act  some  time  ago,  worked 
successfully,  even  last  year,  on  the  financial  bill,  even  though  we 
think  we  should  do  more. 

Mr.  LaFalce.  I  wonder  if  the  gentleman  from  Texas  would  yield 
for  a  question. 

Mr.  Gonzalez.  Of  course. 

Mr.  LaFalce.  Mr.  Gensler  has  been  assisted  in  his  testimony  by 
a  relative  of  his,  and  it  is  my  understanding  that  you  have  been 
assisted  in  your  questioning  on  this  issue  that  it  is  an  appropriate 


22 

zone  of  privacy  by  a  relative  of  yours,  an  attorney  from  San  Anto- 
nio, who  has  prepared  quite  an  outstanding  book  dealing  with  the 
issue  of  zones  of  privacy,  which  I  hope  you  would  share  with  the 
Members  of  the  committee. 

Mr.  GrONZALEZ.  Not  at  this  time,  because  it  would  be  a  lengthy 
discourse,  I  guarantee  you.  Thank  you. 

That  is  all  I  have.  Thank  you  very  much,  Mr.  Chairman. 

Chairman  Leach.  Mr.  Lucas,  do  you  seek  recognition? 

Mr.  Lucas.  No. 

Chairman  Leach.  Mr.  Capuano. 

Mr.  Capuano.  Thank  you,  Mr.  Chairman. 

Mr.  Gensler,  I  just  have  a  couple  of  questions.  I  guess  one  is 
purely  educational,  as  far  as  I  am  concerned.  Under  the  current  sit- 
uation, the  current  laws,  oftentimes  I  pick  up  the  local  papers  and 
I  read  on  a  regular  basis  probably  several  times  a  week  about  a 
prominent  figure  in  the  community  coming  up  with  some  medical 
problems,  admitted  into  the  hospital  for  this,  admitted  into  the  hos- 
pital for  that,  being  treated  in  an  experimental  way  for  this  prob- 
lem, that  problem. 

Under  current  situations,  is  that  person  protected  from  any  ret- 
ribution, potential — maybe  a  better  word  can  be  used — any  reaction 
from  the  financial  community?  Could  that  person  have  his  loans  or 
her  loans  pulled,  have  them  called,  be  denied  if  they  are  in  the 
middle  of  getting  a  mortgage,  and  a  banking  executive  happens  to 
read  right  now  that  they  are  getting  treatment  for  some  heart 
anomaly? 

Mr.  Gensler.  I  just  wanted  to  check.  No,  there  are  no  Federal 
statutes  in  place  that  would  limit  that  at  all. 

Mr.  Capuano.  I  didn't  think  there  were,  but  I  wasn't  sure.  I  want 
to  make  sure.  I  guess  I  would  like  at  some  point  some  people  to 
take  a  look  at  that  as  well.  I  am  not  so  sure  it  is  easy  to  put  your 
arms  around.  I  am  not  so  sure  it  is  something  you  can  address,  but 
it  is  something,  there  should  be  lines.  I  think  there  should  be  lines, 
especially  people  in  my  world,  in  your  world.  There  is  nothing  I  do 
that  is  private.  Nothing.  And  people  have  websites  up  and  pretty 
much  everybody  here,  probably  on  you,  too,  telling  all  the  terrible 
things  I  did  just  yesterday,  never  mind  the  rest  of  my  life,  and  I 
would  be  concerned  deeply  if  my  family  were  negatively  impacted. 

It  is  not  just  politicians,  anybody  in  the  public  realm  is  subject 
to  that,  and  it  would  concern  me  if  there  were  no  limits  whatsoever 
on — it  is  one  thing,  freedom  of  speech  to  say  whatever  you  want  to 
say.  I  understand  all  that.  But  you  know  as  well  as  I  do,  if  you  go 
right  now,  if  you  are  admitted  into  a  hospital  for  a  checkup  right 
now,  you  know  darn  well  the  likelihood  is  pretty  good  that  we'll  be 
reading  about  it  in  the  paper  tomorrow. 

I  don't  think  that  that  is  something  we  should  just  ignore.  It  is 
one  thing  to  focus  on  the  immediate  problem  in  front  of  us.  I  think 
that  is  all  well  and  good.  It  is  a  big  step  forward,  but  I  don't  want 
to  lose  sight  of  the  bigger  issue  as  well. 

Shifting  gears,  the  only  other  issue  I  have  I  heard  earlier  there 
is  always  concern  about  passing  laws  that  were  not  needed,  we  are 
not  sure  we  need  them.  I  am  not  interested  in  the  morality,  not  in- 
terested in  the  ethics,  I  am  not  interested  in  the  social  aspects  of 
privacy.  I  have  my  own  opinions  on  that.  That  is  all  well  and  good. 


23 

I  am  interested  in  the  financial  aspects.  In  the  banking  world,  do 
you  think  that  the  banking  world  would  be  better  served  finan- 
cially if  Congress  were  to  sit  back  on  this  issue  or  any  other  issue 
and  not  speak,  let  it  go  until  there  is  a  problem  and  then  react 
after  the  businesses  have  invested  probably  millions  of  dollars  in 
software,  millions  of  dollars  in  personnel,  millions  of  dollars  in 
mailing  and  telephone  centers,  and  so  forth,  and  so  forth,  and  so 
forth,  because  maybe  I  am  wrong,  but  my  estimation  is  that  once 
the  first  financial  institution  starts  sharing  medical  information, 
even  though  the  others  will  say  "It  is  morally  reprehensible,  it  is 
terrible,  we  will  never  do  that."  But  the  first  time  they  save  money 
or  they  make  money,  someone  else  is  going  to  fall  in  line.  And 
eventually  we  are  going  to  end. 

It  strikes  me  as  financially  better  for  the  financial  services  com- 
munity if  we  can  set  the  rules  now,  let  them  know  what  the  rules 
are  going  to  be  now  rather  than  waiting  for  some  situation  to  arise, 
and  I  don't  think  any  ordinary  American  thinks  that  it  won't  hap- 
pen if  we  do  nothing.  Something  will  happen  and  we  will  overreact 
and  have  wasted  millions  of  dollars,  millions  of  hours  of  personnel 
time  and  all  the  problems  that  are  associated  with  changing  busi- 
ness practices. 

I  guess  I  just  wonder,  do  you  think  I  am  completely  off  the  wall? 
I  don't  mind  being  off  the  wall.  That  is  what  I  do.  Or  do  you  think 
there  is  in  legitimacy  to  that  concern? 

Mr.  Gensler.  We  think  that  it  is  fundamentally  important  to  ad- 
dress this  issue  for  consumers  and  for  the  banking  system.  We 
think  it,  as  we  said  earlier,  not  only  instills  confidence,  but  gets 
ahead  of  an  issue  that  could  be — it  is  like  an  attractive  nuisance. 
It's  too  tempting,  frankly.  And  having  been  in  Commerce,  I  could 
never  imagine  that  any  of  my  former  partners  would  do  anjrthing 
on  this,  but  I  think  it  is  attractive,  and  it  is  there  and  I  think  we 
should  address  it. 

Mr.  Capuano.  I  never  would  have  thought  that  so  many  people 
would  be  calling  me  in  the  middle  of  the  night  twenty  years  ago 
trying  to  sell  me  another  credit  card  after  I  have  400  in  my  pocket 
already.  But  that  attractive  nuisance  is  just  unavoidable  when 
there  is  money  to  be  made.  I  understand  that.  I  ask  the  question 
having  already  formed  my  opinion.  I  think  it  is  good  business  prac- 
tices for  Congress  on  issues  such  as  this  to  set  the  bars  now  to  save 
the  time,  the  trouble,  the  money  that  is  involved  in  following  down 
what  I  think  will  end  up  being  a  dead  end. 

Mr.  Gensler.  It  is  also,  as  we  change  so  rapidly,  what  we  want 
to  do  is  adopt  the  new  information  age,  as  we  move  from  sort  of 
the  industrial  age  to  the  information  age.  The  President  said  in  his 
speech  in  Ypsilanti,  he  said,  when  we  moved  from  an  agricultural 
age  to  an  industrial  age,  it  was  important  to  adopt  new  laws  at 
that  time,  to  put  in  place  really  the  progress  and  to  expand  to  the 
full  middle  class  the  nature  of  the  industrial  age  as  we  moved  into 
the  20th  Century.  As  he  said  better  than  I  could,  we  need  to  do 
the  same  as  we  move  into  the  information  age,  and  put  in  and 
adopt  laws  to  help  us  move  and  promote,  for  all  Americans,  the 
success  moving  forward. 

Mr.  Capuano.  As  a  little  footnote  to  that,  I  think  it  is  well  put 
that  there  were  many  people  in  those  days  that  objected  to  the  pro- 


24 

posed  laws  at  the  time  as  overbearing,  overreaching.  We  don't  need 
them.  We  are  doing  fine  without  them.  It  is  not  a  new  story.  It  is 
an  old  story  and  I  think  it  clearly  worked  well  for  this  country,  for 
the  American  people  in  the  past  transitions,  and  I  think  it  will 
work  well  here.  Thank  you. 

Chairman  Leach.  Thank  you. 

Ms.  Schakowsky. 

Ms.  Schakowsky.  No,  thank  you. 

Chairman  Leach.  I  think  that  is  the  last  questioner.  Let  me  just 
briefly  opine,  because  we  are  in  the  realm  of  privacy,  and  several 
constitutional  issues  have  been  raised,  and  the  Chair  is  willing  to 
suggest  that  Freedom  of  Information  requests  do  not  apply  to  the 
notes  passed  from  Ms.  Lee  Gensler  to  her  father.  In  any  regard,  we 
thank  you  very  much,  Gary. 

Mr.  Gensler.  Thank  you,  Mr.  Chairman. 

Chairman  Leach.  Our  second  panel  is  composed  also  of  a  single 
witness.  Ms.  Kathleen  Sebelius,  who  is  Commissioner  of  Insurance 
for  the  State  of  Kansas  and  Vice  President  of  the  National  Associa- 
tion of  Insurance  Commissioners.  I  would  like  to  ask  Mr.  Ryun  if 
he  would  like  to  make  any  welcoming  remarks. 

Mr.  Ryun.  Mr.  Chairman,  first  of  all,  I  am  sorry  I  missed  the 
opening  statements  and  didn't  have  an  opportunity  to  welcome  my 
Insurance  Commissioner,  Kathleen  Sebelius.  But  I  do  want  to 
thank  her  for  coming  today.  She  has  been  an  advocate  for  the  med- 
ical privacy  of  Kansas.  She  has  been  recognized  for  her  efforts  in 
Kansas,  and  certainly  by  the  National  Association,  and  I  welcome 
her  testimony  to  do  what  we  can  to  ensure  that  all  Americans  have 
the  kind  of  medical  privacy  that  we  are  looking  to  protect  in  light 
of  the  Gramm-Leach-Bliley  bill,  and  I  want  to  thank  her  for  the  op- 
portunity to  say  something,  and  welcome.  Thank  you  for  coming 
today. 

Chairman  Leach.  Thank  you,  Mr.  Ryun. 

Mr.  Moore,  would  you  like  to  comment  as  well? 

Mr.  Moore.  Thank  you.  Mr.  Chairman,  again,  I  congratulate  you 
on  your  good  work,  on  convening  this  hearing,  and  the  bill  that  you 
drafted.  I  also  appreciate  the  opportunity  to  extend  some  brief  re- 
marks to  welcome  Insurance  Commissioner  Kathleen  Sebelius 
here. 

Kathleen  has  a  very  interesting  background.  She  comes  from  a 
bipartisan  political  family.  Her  father  was  Governor  of  Ohio.  Her 
father-in-law  was  a  former  Member  of  Congress  from  Kansas.  Her 
husband  is  now  nominated  to  be  a  United  States  District  Court 
judge  in  Kansas. 

I  am  very,  very  pleased  to  have  Kathleen  here  today.  She  was 
first  elected  in  1994  and  reelected  in  1998  as  Kansas  Insurance 
Commissioner,  and  previously  served  four  terms  in  the  Kansas 
House  of  Representatives.  She  currently  is,  as  I  think  the  Chair- 
man indicated,  Vice  President  of  the  National  Association  of  Insur- 
ance Commissioners,  and  is  Chair  of  the  Working  Group  on  Pri- 
vacy. That  is  the  capacity  she  appears  before  our  committee  today. 

She  was  recently  recognized  as  a  renaissance  regulator  by  the 
June  issue  of  Best's  Review,  a  national  magazine  focusing  on  insur- 
ance issues.  They  observed,  and  I  thought  this  was  very  inter- 
esting, that  she  was  able,  in  the  last  five  years,  to  eliminate  almost 


25 

half  of  the  regulations  on  insurance  in  the  State  of  Kansas.  She 
has  established  a  reputation  as  a  national  leader  on  health  insur- 
ance issues  and  is  leading  the  NAIC  effort  to  develop  uniform  regu- 
lations that  balance  privacy  for  individuals  against  insurers'  busi- 
ness needs  for  consumer  information.  I  often  turn  to  Kathleen  for 
advice  and  counsel,  and  I  really  am  pleased  to  have  her  before  this 
committee  today,  and  she's  always  very  able  to  render  thoughtful 
and  insightful  testimony  and  I  appreciate  that. 

Welcome,  Kathleen. 

Chairman  Leach.  Thank  you  very  much.  It  looks  like  you  come 
with  near  perfect  credentials,  Mrs.  Sebelius,  although  some  of  us 
would  prefer  that  you  took  your  father-in-law's,  rather  than  your 
father's,  party.  You  are  very  welcome  and  please  proceed  as  you  see 
fit. 

STATEMENT  OF  HON.  KATHLEEN  SEBELIUS,  COMMISSIONER 
OF  INSURANCE,  STATE  OF  KANSAS;  VICE  PRESIDENT,  NA- 
TIONAL ASSOCIATION  OF  INSURANCE  COMMISSIONERS 

Ms.  Sebelius.  Thank  you,  Mr.  Chairman.  It  is  nice  to  be  here 
and  nice  to  be  here  with  half  of  our  congressional  delegation,  my 
own  Congressman  and  my  friend.  Congressman  Moore.  I  appreciate 
the  opportunity  to  be  here  and  also  bring  you  greetings,  Mr.  Chair- 
man, from  your  own  insurance  commissioner,  Terry  Vaughan,  who 
is  now  serving  as  Secretary-Treasurer  of  our  association.  We  have 
just  finished  four  days  of  insurance  meetings,  our  summer  meet- 
ings, so  she  said  to  be  sure  to  extend  her  greetings  to  you. 

Unfortunately,  my  colleague,  Glenn  Pomeroy,  who  is  a  former 
President  of  our  association  from  North  Dakota,  and  whose  brother 
serves  with  you  in  the  House,  is  stuck  in  Bismarck.  Planes  couldn't 
get  out  of  Minneapolis  last  night,  and  couldn't  get  Mr.  Pomeroy  to 
Washington  today,  so  he  apologizes  for  his  absence  at  this  hearing. 

What  I  would  like  to  do  before  I  talk  a  bit  about  health  privacy, 
Mr.  Chair,  is  just  use  a  few  minutes  to  give  you  an  update  on  the 
way  insurance  regulators  are  moving  to  comply  with  the  features 
of  Gramm-Leach-Bliley,  which  is  a  fairly  sweeping  change  for  regu- 
lators. I  think  it  is  safe  to  say  that  the  passage  of  this  bill  focused 
attention  and  mobilized  my  colleagues  from  around  the  country  to 
move  very  quickly  to  comply  with  various  aspects  of  that  bill.  In 
just  three  short  months  we  have  had  50  State  regulators  sign  a 
statement  of  intent  on  implementation  features  which  have  a  com- 
prehensive buy-in  for  uniform  standards  across  the  country  on  a 
variety  of  issues,  including  a  more  efficient  and  uniform  regulation 
of  the  financial  services  marketplace. 

We  have  nine  different  commissioner-level  working  groups  in 
place  to  implement  the  law  in  areas  like  privacy,  agent  licensing 
and  speed  to  market  for  insurance  products.  The  Gramm-Leach- 
Bliley  has  created  expectations,  and  frankly,  our  goal  is  to  exceed 
these  expectations.  We  feel  it  gives  us  a  good  framework  to  move 
to  a  21st  Century  regulatory  system  and  we  have  been  hard  at 
work  doing  that. 

Having  said  that,  I  also  appreciate  the  opportunity  to  testify  on 
the  very  important  issue  of  health  information  privacy  and  the  new 
legislation  before  this  committee,  H.R.  4585.  This  will  be  the  sixth 
time  during  the  course  of  the  106th  Congress  that  we  have  come 


26 

to  testify  on  health  privacy,  and  are  pleased  to  see  that  there  is  a 
recognition  in  this  proposal,  as  there  is  in  the  President's  proposal, 
to  recognize  that  an  unintended  consequence  of  Gramm-Leach-Bli- 
ley  is  the  fact  that  a  consumer's  sensitive  health  information  can 
now  be  shared  freely  without  distinction  from  other  sorts  of  finan- 
cial information. 

Although,  as  you  all  know,  health  privacy  wasn't  specifically  in- 
cluded in  the  language  of  Gramm-Leach-Bliley,  the  Federal  regula- 
tions changed  that  landscape,  because  the  definition  of  financial  in- 
formation now  includes  health  information.  Unfortunately,  given 
the  framework  of  the  original  bill,  the  law  doesn't  provide  the  kind 
of  stringent  protection  that  we  feel,  and  most  consumers  feel,  is 
needed  for  sensitive  health  information. 

Mr.  Chair,  the  regulators  were  very  sensitive  to  the  pleas  from 
the  industry  that  the  financial  portion  of  the  regulations  that  we 
were  mandated  to  promulgate  for  insurers  across  this  country, 
would  not  put  them  at  a  competitive  disadvantage  with  their  col- 
leagues. As  such,  our  initial  draft  regulations  follow  the  guideline 
set  out  by  Gramm-Leach-Bliley.  On  the  other  hand,  the  commis- 
sioners felt  unanimously  that  health  information  needed  to  be 
treated  differently,  should  be  treated  differently,  and  we  are  in  the 
process  of  crafting  regulations  which  would  separate  out  health  in- 
formation and  provide  for  the  same  kind  of  opt-in  standard  that 
you  have  provided  in  this  bill. 

Specifically,  I  would  like  to  highlight  a  couple  of  areas  where 
there  is  a  lot  of  consistency  between  our  approach  and  the  ap- 
proach of  H.R.  4585.  First  is  the  basic  recognition  that  health  infor- 
mation should  be  treated  differently  than  financial  information. 
Second,  it  should  be  treated  with  more  protection  than  financial  in- 
formation with  an  opt-in  standard  across  the  board. 

Again,  the  NAIC  framework  has  been  always  to  say  it  is  the  in- 
formation that  should  be  protected,  not  necessarily  the  entity  that 
has  that  information.  So  in  our  prior  models  and  in  our  current 
regulations,  we  don't  delineate  between  a  worker's  compensation 
company,  an  auto  insurance  company,  a  life  insurance  company  or 
a  health  insurer  who  may  have  health-sensitive  information.  We 
think  it  is  the  information  that  deserves  the  same  kind  of  protec- 
tion. And  it  should  be  across  the  board  with  financial  institutions, 
again,  recognized  by  your  bill. 

These  aspects  of  your  bill  mirror  the  standing  NAIC  policy,  and 
we  applaud  your  efforts  in  amending  Gramm-Leach-Bliley  to  in- 
clude these  important  protections.  As  I  said,  we  have  been  fairly 
consistent  on  this.  We  had  a  model  in  1980,  a  general  privacy 
model,  that  recognized  an  opt-in  standard.  We  updated  that  model 
in  1998  specifically  for  health  information,  again  recognizing  an 
opt-in  standard.  And  we  are  currently  at  work  drafting  the  model 
regulations  which  we  will  urge  our  colleagues  across  the  country  to 
implement  in  compliance  with  the  Gramm-Leach-Bliley  regula- 
tions, and  which,  again,  have  an  opt-in  standard  for  health  infor- 
mation. 

Frankly,  it  is  probably  preferable  if  Congress  acts  on  this  meas- 
ure, because  that  is  a  way  to  ensure  that  the  standard  is  in  place 
simultaneously  around  the  country  and  doesn't  need  to  wait  on  a 
State-by-State  implementation  of  the  regulatory  framework.  It  is 


27 

that  framework  that  we  are  here  to  urge  you  to  move  forward  on. 
We  do  have  an  accelerated  timetable  for  finalizing  our  regulation. 
As  you  know,  the  Federal  regulations  were  not  final  until  mid-May 
of  this  year.  We  wanted  to  wait  and  see  the  framework  of  the  final 
financial  Federal  regulations  before  we  moved  ahead,  but  we  hope 
to  have  the  final  draft  of  the  regulations  for  insurers  ready  by  Sep- 
tember, so  States  can  move  either  with  their  own  regulatory  au- 
thority, or  in  next  year's  legislature,  to  put  these  in  place. 

As  has  already  been  discussed,  a  lot  of  what  is  in  your  bill  mir- 
rors the  HHS  regulations,  but  given  the  jurisdiction  of  Health  and 
Human  Services,  a  lot  of  entities  who  collect  and  hold  sensitive  fi- 
nancial information  will  not  be  covered  by  the  regulations,  which, 
at  the  earliest,  I  think  are  scheduled  to  be  effective  December  of 
2002. 

So  we  are  still  a  long  way  from  seeing  some  sort  of  standard  on 
health  privacy  regulations.  Having  said  that,  Mr.  Chair,  the  insur- 
ance commissioners  across  this  country  look  forward  to  working 
with  this  committee  on  this  very  important  issue.  We  applaud  sep- 
arating health  information,  having  an  opt-in  standard  for  health 
information,  and  urge  you  to  move  forward. 

[The  prepared  statement  of  Hon.  Kathleen  Sebelius  can  be  found 
on  page  87  in  the  appendix.] 

Chairman  Leach.  Thank  you  very  much,  Ms.  Sebelius. 

Mrs.  Roukema. 

Mrs.  Roukema.  Mr.  Chairman,  I  am  going  to  reserve  my  time. 
Thank  you. 

Chairman  Leach.  Mr.  Ryun. 

Mr.  Ryun.  I  would  like  to  ask  a  question  related  to  your  testi- 
mony. Apparently,  you  share  a  very  disturbing  story  with  regard 
to  a  company  that  apparently  shares  a  claimant's,  if  you  will,  pre- 
scription information  with  a  pharmaceutical  company.  Then  it  tried 
to  market  those  particular  products  to  the  customer's  physician. 
Now,  how  often  does  this  happen?  Is  this  simply  an  isolated  situa- 
tion or  is  it  rather  frequent? 

Ms.  Sebelius.  Frankly,  Congressman  Ryun,  I  can't  enumerate 
the  number  of  times.  I  chaired  the  Privacy  Working  Group  that 
drafted  our  1998  model,  and  that  testimony  was  part  of  the  hearing 
process  that  came  forward.  We  heard  a  number  of  very  disturbing 
pieces  of  testimony  where  bits  of  medical  information  were  re- 
vealed, clearly  not  by  the  consumer,  but  by  some  entity  collecting 
it. 

I  know  that  in  my  own  situation,  and  I  have  had  a  gentleman 
in  Atchison  come  up  to  me  after  a  speech  I  gave  on  medical  pri- 
vacy, to  say  that  he  was  terribly  concerned,  because  he  had  just 
finished  a  series  of  tests  which  resulted  in  his  diagnosis  as  an  adult 
onset  diabetic.  Within  about  a  week  of  that  confirmation  by  the 
medical  clinic,  he  began  receiving  bulk-rated  syringe  mailings,  in- 
sulin alternative  products,  a  variety  of  information.  As  he  said  to 
me,  "I  didn't  put  a  bumper  sticker  on  my  car.  I  didn't  put  a  sign 
in  my  yard  that  said  'guess  what,  I  am  a  diabetic'  I  didn't  take  an 
ad  out  in  the  Atchison  Globe,  but  somebody  in  that  chain  of  events 
did  release  my  information,  and  I  am  now  seen  as  a  marketing 
tool." 


28 

He  was  quite  unhappy  with  that,  and  unfortunately,  I  think  it 
happens  more  often  than  we  would  like.  I  can't  quantify  around  the 
country  how  many  times  it  has  gone  on. 

Mr.  Ryun.  What  we  are  advocating  here,  do  you  think  in  this  sit- 
uation it  would  help  solve  part  of  this  problem? 

Ms.  Sebelius.  I  think  it  would  help  greatly.  As  has  already  been 
raised  by  earlier  questions  to  the  Assistant  Treasury  Secretary,  the 
combination  of  this  bill,  which  is  aimed  at  financial  institutions, 
and  the  currently-pending  Health  and  Human  Services  regulations, 
which  cover  a  broader  scope  of  health  plans,  providers,  hospitals 
and  medical  information,  creates  a  pretty  substantial  umbrella  for 
those  who  are  collecting  and  holding  financial  information  to  pro- 
hibit sharing  without  specific  consumer  consent. 

Having  said  that,  I  think  that  our  draft  model,  and  certainly  we 
would  urge  the  committee  when  regulations  will  be  drafted,  creates 
large  business  exemptions.  We  recognize  that  insurers,  for  in- 
stance, need  to  process  health  information  on  a  regular  basis  to  pay 
Workers'  Compensation  claims,  analyze  a  PIP  auto  carrier,  or  un- 
derwrite a  product,  and  those  were  recognized  within  the  regula- 
tions that  we  would  put  forward.  It  doesn't  impede  the  business  of 
insurance,  but  it  does  preclude  you  from  sharing  information,  sell- 
ing it,  or  marketing  it  for  other  reasons  without  the  consumer  say- 
ing it  is  OK  to  do  so. 

Mr.  Ryun.  Thank  you. 

Mr.  Chairman,  thank  you. 

Chairman  Leach.  Thank  you. 

John. 

Mr.  LaFalce.  Thank  you  very  much. 

Ms.  Sebelius,  I  was  discussing  with  the  Chairman  earlier  pri- 
vately the  importance  of  trying  to  find  the  appropriate  role  for  both 
the  Federal  and  the  State  governments  on  so  many  different  issues 
with  respect  to  bank  charters,  with  respect  to  charters  of  credit 
unions,  and  so  forth.  One  of  the  areas  we  are  going  to  have  to  grap- 
ple with  in  the  future  is  the  appropriate  role  of  Federal  legislation 
as  opposed  to  State  legislation  in  protecting  privacy.  Do  you  think, 
as  a  starting  point  philosophically,  that  Federal  law  should:  A,  be 
preemptive  of  the  States?;  or  B,  just  establish  minimal  standards, 
but  not  preclude  the  States  from  adopting  their  own  additional  con- 
sumer standards? 

Ms.  Sebelius.  Congressman,  the  views  of  the  association  that  I 
am  here  to  represent,  and  my  own  personal  view,  are  that  the  kind 
of  Federal  floor  issue,  particularly  in  this  area,  is  very  appropriate. 
As  you  know.  State  law  has 

Mr.  LaFalce.  When  you  say  Federal  floor,  I  think  you  mean  it 
should  not  be  preemptive;  is  that  correct? 

Ms.  Sebelius.  That  is  correct.  The  way  I  understand  it,  at  least 
the  overall  framework  of  Gramm-Leach-Bliley,  particularly  in  the 
privacy  areas,  is  that  it  does  recognize  the  opportunity  for  States 
to  be  more  consumer  friendly,  more  restrictive.  States  have,  over 
the  course  of  fifty  years,  developed  various  kinds  of  health  privacy 
standards  often  tied  to  some  very  specific  kinds  of  laws  in  place, 
certain  kinds  of  Workers'  Compensation  systems  which  are  tracked, 
or  medical  tests  which  are  done  in  a  certain  State. 


29 

While  I  think  we  have  said  consistently  in  the  past  that  we  think 
there  is  a  clear  role  for  Congress,  we  believe  it  is  appropriate  to 
have  national  privacy  standards  governing  national  definitions, 
governing  a  large  area  of  this.  Our  caution  about  blanket  preemp- 
tion, particularly  in  the  privacy  arena,  is  the  unintended  con- 
sequences of  various  kinds  of  particular  State  laws  which  could  be 
wiped  out  and  could  actually  put  consumers  steps  behind  where 
they  are  right  now.  So  we  are  very  cautious  about  blanket  preemp- 
tions. 

Having  said  that,  I  think  we  would  encourage  moving  forward 
with  broad  guidelines  that  are  nationally  implemented  and  nation- 
ally known.  I  don't  want  to  go  skiing  in  Colorado  and  have  a  dif- 
ferent set  of  recordkeeping  for  my  medical  records  there  than  in 
Kansas.  I  don't  think  that  serves  the  consumer  well  and  it  cer- 
tainly is  very  difficult  for  an  industry  to  operate  under.  In  the 
major  areas  I  think  setting  standards  and  saying  these  should  be 
nationalized  are  very  appropriate. 

Mr.  LaFalce.  I  think  that  is  basically  the  approach  we  took  last 
year,  financial  services  modernization.  I  think  that  is  the  approach 
both  that  the  Chairman  and  I  have  taken  in  our  respective  bills 
further  addressing  the  issue. 

Now,  you  mentioned  that  the  NAIC  has  come  up  with  some 
model  standards,  model  legislation,  and  you  pointed  out  the  simi- 
larities between  the  model  legislation  you  come  up  with  and  the 
bill  introduced  by  the  Chairman  dealing  with  the  issue  of  medical 
privacy.  My  first  question  is,  did  your  model  standards  only  deal 
with  the  issue  of  medical  privacy,  or  did  you  consider  other  issues? 

Ms.  Sebelius.  We  attached  two  pieces  of  model  legislation  to,  I 
think,  the  written  comments.  Congressman  LaFalce.  The  1998 
model,  which  is  attached,  specifically  deals  with  health  information 
privacy  and  recognizes  a  need  to  carve  out  that  area.  The  earlier 
model,  which  I  think  was  1980,  dealt  with  across-the-board  infor- 
mation kept  by  insurers,  and  also  had  an  opt-in  standard  for  non- 
affiliates  to  receive  any  kind  of  information,  financial  or  health,  col- 
lected by  insurers. 

So  we  have  sort  of  dealt  with  both  areas.  But  the  1998 — the  new- 
est area,  was  dealing  very  specifically  with  health  in  lots  of  detail. 

Mr.  LaFalce.  Has  the  NAIC  reconsidered  its  1980  and  adopted 
it  anew,  or  you  have  just  not  gone  back,  that  is  two  decades  ago. 
There  were  a  few  advances  in  technology  and  electronics  and  mar- 
ket usage  in  the  past  two  decades. 

Ms.  Sebelius.  Right  now  we  are  in  the  process  of  trying  to  com- 
ply with  the  mandate  to  develop  regulations  as  functional  insurers 
to  apply  privacy  regulations  for  insurance  companies  across  the 
country.  We  are  developing  a  model  regulation  in  two  phases.  The 
first,  which  is  what  is  underway  right  now,  and  hopefully  will  be 
completed  by  September,  is  an  interim  regulation.  We  have  actu- 
ally drafted  it  with  a  sunset  clause  and  have  attempted  to  mirror, 
on  the  financial  side,  the  standards  that  are  in  Gramm-Leach-Bli- 
ley;  no  disclosure  among  the  affiliates,  and  an  opt-out  for  non-affili- 
ates, with  the  exception  of  health  information  where  we  are  draft- 
ing a  more  stringent  standard. 

I  will  share  with  you  that  there  are  a  number  of  colleagues  of 
mine  who  feel  very  strongly  that  we  should  revisit  even  those  ear- 


65-149    2001-2 


30 

lier  standards  for  financial  entities,  because  those  are  not  strong 
enough  and  are  not  protective  enough  of  consumer  interests  on  the 
financial  side,  and  we  see  that  as  phase  two. 

Mr.  LaFalce.  I  think  it  would  be  helpful,  mutually  helpful,  if  we 
kept  in  close  touch  on  these  developments,  because  we  could  both 
gain. 

If  I  could  go  back,  though.  You  addressed  similarities  between 
your  1998  standard  and  H.R.  4580,  and  there  are  similarities  be- 
tween that,  the  bill  that  I  introduced  working  in  concert  with  the 
Administration.  But  Mr.  Gensler  also  pointed  out  some  concerns. 
One  of  them  was  scope,  just  didn't  deal  with  other  issues.  Aside 
from  scope  is  and  not  dealing  with  other  issues,  there  was  some 
particular  difficulties  that  I  think  can  be  addressed.  Are  there  any 
dissimilarities  between  your  model  standards  and  H.R.  4580  that 
you  think  we  should  address,  and  particularly  what  about  the 
dissimilarities  that  Mr.  Gensler  pointed  out  in  particular? 

Ms.  Sebelius.  I  don't  want  to  misspeak,  because  I  am  not  as  fa- 
miliar as  I  should  be  with  all  the  details  of  H.R.  4585,  but  I  think 
that  there  really  aren't  any  inconsistencies.  In  fact,  the  draft  of  the 
bill,  our  privacy  model,  I  think,  could  be  used  as  regulations  to  im- 
plement the  bill  that  is  before  you. 

Mr.  LaFalce.  What  I  would  ask  then,  do  you  think  you  could, 
in  writing,  make  comment  on  the  specific  details  that  Assistant 
Secretary  Gensler  had  with  H.R.  6320? 

Ms.  Sebelius.  I  would  be  glad  to. 

Mr.  LaFalce.  Thank  you.  Thank  you,  Mr.  Chair. 

Chairman  Leach.  Mr.  Bentsen,  do  you  seek  recognition? 

Mr.  Bentsen.  Thank  you,  Mr.  Chairman.  I  think  you  have  one 
on  your  side  down  there. 

Chairman  Leach.  Mrs.  Biggert. 

Mrs.  Biggert.  Yes.  Thank  you,  Mr.  Bentsen.  Thank  you,  Mr. 
Chairman. 

You  mentioned  several  times  the  Workers'  Compensation  and  the 
auto  insurance  issue,  which  I  had  asked  before.  Do  you  think  there 
needs  to  be  something  put  into  this  bill  to  clarify  that  issue? 

Ms.  Sebelius.  Congresswoman,  I  think  that  as  I  read  this,  there 
is  nothing  inconsistent  in  here  with  having  a  regulation  that  would 
give  the  kind  of — I  think  you  are  going  to  need  very  specific  busi- 
ness exemptions.  It  is  part  of  what  is  contained  in  our  privacy 
model  which  is  attached.  We  really  tried,  again  from  the  insurance 
side,  to  think  through  carefully  what  are  the  areas  that  insurers, 
both  property,  casualty  and  health,  are  involved  in  where  health 
information  needs  to  be  shared. 

So  I  think  it  could  be  addressed  in  the  regulations.  I  think  it 
would  need  to  be  addressed  in  the  regulations,  and  perhaps  some 
notice  in  the  bill  could  do  that.  To  not  impede  the  business  of  in- 
surance specifically,  would  be  a  good  notice  in  the  overall  bill.  I 
don't  think  the  draft  of  the  bill  is  inconsistent  with  providing  those 
various  business  exemptions. 

Mrs.  Biggert.  The  other  issue  that  was  discussed  earlier  was  the 
State  guarantee  funds  and  how  they  operate.  Could  you  explain 
that  a  little  bit  to  me,  and  then  whether  there  should  be  some  clar- 
ification as  to  that  in  this  bill  also. 


31 

Ms.  Sebelius.  I  think  that,  again,  they  would  be  covered  in  a 
broad  business  exemption.  I  am  not  quite  sure,  and  I  know  that  is 
part  of  the  ACLI  testimony,  exactly  what  it  is  in  terms  of  the 
health  arena  that  a  guaranty  fund  would  receive,  which  would  be 
prohibited  by  this.  As  you  probably  all  know,  the  guaranty  funds 
assess  and  pay  for  claims  left  by  an  insolvent  company. 

So  it  is  typically  financial  information  which  is  gathered  and  ex- 
changed, but  if  this  would  somehow  impede  that  flow  of  informa- 
tion, we  would  certainly  not  favor  that,  and  I  think  it  could  be  eas- 
ily provided  for  by  an  additional  business  exemption. 

Mrs.  BiGGERT.  Thank  you.  Maybe  just  briefly  also,  since  I  have 
some  time  left,  could  you  just  tell  what  are  the  real  benefits  for 
consumers?  Are  they  heightened  or  are  they  lessened,  and  how 
does  this  really  benefit  a  single  consumer? 

Ms.  Sebelius.  I  think  most  people  believe  that  their  personal 
health  history  is  probably  the  most  sensitive  personal  information 
they  have.  It  seems  to  me  that  financial  institutions  may  actually 
be  enhanced  in  a  role  with  consumers  if  they  feel  they  are  in  a 
trusted  position,  and  that  the  information  they  give  to  get  a  life  in- 
surance policy  or  pay  an  auto  claim  or  get  pajmient  under  a  Work- 
ers' Compensation  system  is  not  going  to  be  marketed  to  their  dis- 
advantage, is  not  going  to  be  shared,  and  won't  be  used  by  a  mort- 
gage banker  to  not  give  them  a  home  loan  if  they  have  some  sort 
of  wrong  condition. 

I  think  consumer  confidence  is  key  to  any  commercial  dealings 
and  we  should  be  assuring  consumers  that  this  information  is  per- 
sonal and  private,  it  is  protected,  it  needs  to  be  exchanged  for  the 
commerce  of  doing  the  business  of  insurance  and  other  financial 
entities,  but  it  is  not  going  to  end  up  being  used  against  them.  It 
is  not  going  to  be  something  that  will  keep  them  from  getting  a 
loan,  driving  a  car,  operating  in  the  normal  business  of  their  work 
day.  I  think  that  goes  to  the  general  good,  and  given  the  ease  of 
collection  and  transfer  of  information,  I  think  it  is  even  more  crit- 
ical that  the  rules  be  clear  at  the  outset.  Consumers  should  know 
what  is  and  is  not  going  to  happen  to  the  information  they  give, 
and  that  there  is  some  regulatory  authority  who  is  making  sure 
that  the  companies  follow  those  rules. 

Mrs.  Biggert.  Thank  you. 

Thank  you,  Mr.  Chairman. 

Chairman  Leach.  Thank  you. 

Mr.  Bentsen. 

Mr.  Bentsen.  Thank  you,  Mr.  Chairman. 

I  still  remember  what  it  was  like  to  sit  down  on  the  lower  row, 
so  I  wanted  to  make  sure  that  Mrs.  Biggert  got  her  time  in  order. 

Mrs.  Sebelius,  I  want  to  ask  you  just  a  couple  of  questions.  One 
is  related  to  the  testimony  of  the  panel  that  will  appear  after  you. 
I  may  not  be  able  to  be  here  for  all  of  their  testimony,  and  so  I 
would  hope  and  expect  that  they  might  respond  to  the  question 
that  I  am  going  to  pose  for  the  record  as  well. 

I  haven't  read  all  of  the  testimony,  but  in  reading  some  of  the 
testimony,  a  number  of  the  organizations  surprisingly  would  op- 
pose provisions  of  the  Leach  bill  as  it  relates  to  an  opt-in  require- 
ment. They  raise,  I  guess,  this  is  my  question.  The  reason  that  they 
raise  is  specifically  with  respect  to  employer-provided  health  ben- 


32 

efit  plans  that  a  restrictive  opt-in  requirement  would  make  it  dif- 
ficult for  the  broker  or  the  insurance  provider  to  make  adjustments 
in  that  plan  with  whoever  I  guess  the  carrier  may  be. 

In  your  capacity  as  an  insurance  commissioner,  as  a  regulator, 
do  you  see  that  as  a  problem;  or  is  the  initial  agreement  between 
the  employee,  employer,  and  insurance  broker  or  underwriter  with 
an  opt-in  at  that  point,  would  that  be  sufficient  in  giving  the  insur- 
ance carrier,  broker,  underwriter,  whichever,  the  ability  to  make 
policy  changes  during  the  term  of  the  agreement  between  them  and 
the  employer?  Or  is  this  a  legitimate  concern  that  these  groups 
have? 

Second  of  all,  as  part  of  that,  they  raised  the  question  that  this 
could  become  problematic  between  the  insurance  carrier — how  the 
insurance  carrier  would  work  with  a  specific  health  care  provider. 
I  guess  the  example  might  be  when  you  go  into  the  emergency 
room  and  they  are  trying  to  verify  your  insurance  coverage  that 
there  is  a  potential  that  this  could  block  the  transfer  of  information 
that  would  then  make  the  provider  unwilling  to  provide  care  for 
some  particular  reason. 

And  then  I  have  another  question  after  that. 

Ms.  Sebelius.  Again,  Congressman,  I  think  that  in  the  employee 
benefit  plan  arena,  in  the  regulations  that  we  are  attempting  to 
put  in  place  right  now  covering  insurers,  we  recognize  that  it  isn't 
until  information  would  be  shared  actually  outside  the  general 
course  of  the  business  of  insurance,  that  triggers  the  notice  and  the 
disclosure  issue  would  be  triggered. 

I  do  think  if  the  employee  benefit  area  isn't  carved  specifically 
enough  into  this  umbrella,  it  would  be  relatively  easy  to  do  that  to 
include  it  in  the  broad  business  exemptions,  because  I  think  it  is 
important  to  conduct  the  business  of  insurance.  It  is  something 
that,  again,  I  think  we  tried  to  do  very  carefully  in  that  1998  model 
when  we  came  and  urged  Congress  to  look  at  it  as  one  of  the  possi- 
bilities to  meet  the  HIPAA  standards  that  were  at  that  point  pend- 
ing. 

I  think  in  the  treatment  area,  again,  the  model  attached  to  our 
testimony  deals  with  all  sorts  of  health  care-related  issues.  If  you 
go  into  an  emergency  room,  where  you  would  need  to  exchange  in- 
formation, what  if  you  have  an  unconscious  patient?  How  could  he 
or  she  give  disclosure?  You  don't  want  to  shut  down  the  possibility 
that  they  are  going  to  get  medical  treatment  if  they  can't  get  their 
records  accessed.  So  that  area  is  captured  and  I  think  very  much 
■present. 

The  way  I  read  H.R.  4585,  it  is  sort  of  the  "20,000  view"  level. 
It  captures  the  major  framework  of  what  then  would  be  imple- 
mented in  specific  regulations,  and  I  think  some  of  these  issues  and 
exemptions  are  not  inconsistent  with  the  framework.  They  would 
just  need  to  be  crafted  into  the  regulations  to  make  sure  that  they 
don't  impede  medical  treatment. 

You  also  don't  want  to  impede  research  issues.  There  are  broad 
exemptions,  I  think,  needed  for  the  research  community  to  make 
sure  you  don't  grind  that  to  a  halt  by  having  too  stringent  rules 
on  disclosure  and  nondisclosure  for  the  business  of  insurance,  but 
I  don't  think  those  are  inconsistent  with  the  notion  that  you  are 


33 

not  going  to  sell  or  market  or  share  this  information  outside  of 
doing  some  very  specific  activities. 

Mr.  Bentsen.  With  the  Chairman's  indulgence,  properly  crafted, 
an  opt-in  could  be  properly  crafted  that  would  not  impede  the  func- 
tioning of  the  insurance  agent  or  broker,  underwriter,  you  believe, 
and  still  provide  this  protection? 

Ms.  Sebelius.  We  believe  that  is  true,  and  actually  that  is  what 
we  are  going  to  advocate  that  our  colleagues  adopt  as  the  standard 
for  the  insurance  regulations  which  would  meet  the  Gramm-Leach- 
Bliley  mandate. 

Mr.  Bentsen.  I  am  going  to  have  to  leave,  but  I  have  one  quick 
question,  Ms.  Madam  Chairwoman.  I  would  hope  and  expect  that 
the  other  panel  would  address  that  issue  when  they  testify. 

Ms.  Sebelius.  They  have  been  addressing  me  for  the  last  four 
days,  up  close  and  personal.  I  am  sure  it  will  go  on. 

Mr.  Bentsen.  They  will  be  addressing  us  as  well.  You  said  in  re- 
sponse to  Mr.  LaFalce,  I  think  it  was,  the  concern  about  a  patch- 
work of  State  rules  with  respect  to  medical  privacy  protection,  am 
I  to  understand  that  you  would  favor  a  Federal  preemption  of  some 
sort  or  a  uniform  Federal  standard  as  it  relates  to  privacy  rules, 
and  that  would  be  somewhat  contrary  to  what  we  did  in  Gramm- 
Leach-Bliley? 

Ms.  Sebelius.  Congressman  Bentsen,  I  think  that  what  I  was 
trying  to  say  is  that  when  we  testified  in  the  period  that  the  Kasse- 
baum-Kennedy  bill  would  have  mandated  Federal  privacy  action  by 
August  of  1999,  that  we  urged  Congress  to  move  ahead  and  gave 
as  part  of  that  testimony  what  we  thought  would  be  a  framework 
that  would  at  least  work  well  for  insurers,  which  was  the  privacy 
model  attached. 

We  have  participated  actively  in  commenting  on  the  HHS  regula- 
tions which  are  pending,  and  which  eventually  will  at  least  be  in 
place  for  the  portion  of  the  industry  that  I  am  familiar  with  that 
holds  sensitive  health  information,  but  not  the  entire  industry.  I 
think  it  is  appropriate  that  we  have  broad  Federal  standards  in 
place  simultaneously  around  the  country  with  the  same  kind  of 
definitions  and  same  kind  of  protections  for  most  of  the  areas  of 
privacy. 

The  reason  I  have  the  caveat  that  I  do  is  that  there  are  literally 
thousands  and  thousands  of  State  laws  which  have  been  in  place 
for  half  a  century,  which  have  to  do  often  with  very  particular 
kinds  of  State  collections;  databanks.  Workers'  Compensation  sys- 
tems, special  tests.  In  Kansas,  we  do  a  special  test  for  hearing  of 
infants  that  is  not  nationally  promulgated,  but  it  is  done  specifi- 
cally. 

Wiping  out  in  one  fell  swoop  all  of  the  State  privacy  laws  which 
are  in  place  in  statutes  could,  I  think,  have  some  serious,  unin- 
tended consequences  for  consumers,  and  that  is  what  we  are  con- 
cerned about.  I  think  broadly  defining  and  outlining  an  area  where 
the  Rederal  rules  will  be  in  place  and  would  preempt  State  laws, 
makes  sense.  However,  you  need  to  be  very  cautious  about  what 
else  you  are  wiping  out  in  the  State  statutes. 

Mr.  Bentsen.  Thank  you. 

Thank  you.  Madam  Chairwoman. 

Mrs.  Roukema.  [Presiding.]  Thank  you. 


34 

I  do  have  a  question,  and  that  is,  this  bill  or  the  Chairman's  bill 
singles  out  for  a  particular  protection  information  relating  to  men- 
tal health  and/or  mental  condition,  and  it  requires  a  separate  and 
specific  customer  consent  for  disclosing  such  information. 

Now,  there  is  at  least  one  other  group  or  maybe  others  on  the 
next  panel  that  states  in  its  testimony  that  a  separate  consent  re- 
quirement for  mental  health  information  is  not  needed.  I  don't  be- 
lieve that  you  address  this  directly  in  your  testimony,  but  I  have 
a  special  interest  in  this  concern.  And  of  course  on  the  next  panel, 
we  will  also  be  having  the  American  Psychiatric  Association  giving 
its  own  testimony,  but  I  would  appreciate  having  your  input  and 
your  perspective  on  this  particular  question: 

Should  there  be  a  specific  separation?  I  believe  there  should  be 
a  specific  customer  consent  as  required  in  the  bill.  Could  you  please 
express  yourself  on  the  subject. 

Ms.  Sebelius.  I  am  not  sure  I  am  able  to  give  you  a  very  com- 
plete answer  on  that.  I  can  tell  you  that  at  least  our  old  models 
and  current  regulations  which  are  in  place  do  not  have  specifically 
enhanced  standards  for  mental  health.  And  as  far  as  I  know,  that 
was  not  a  topic  that  was  either  addressed  and  rejected  or  accepted 
during  the  course  of  that  process.  I  would  just  suggest  that  I  think 
there  could  be  other  groups  who  come  and  say,  you  know,  this  sort 
of  condition  or  illness  may  be  equally 

Mrs.  ROUKEMA.  You  are  saying  that  your  group  has  not  specifi- 
cally addressed  that? 

Ms.  Sebelius.  No.  So  I  am  not  able 

Mrs.  RouKEMA.  Can  you  explain  in  any  way,  even  from  your  own 
perspective,  how  you  could  possibly  separate  one  health  issue  from 
another? 

Ms.  Sebelius.  The  Chairman  may  be  better  able  to  answer  that. 
The  only  issue  that  I  am  aware  of  and  quite  sensitive  to  is  that 
there  is  a  strong  belief  that  mental  health  treatment  carries  with 
it  such  an  extraordinary  stigma  that  seeking  treatment  or  seeking 
information  about  treatment^  in  and  of  itself  may  deter  people  from 
getting  the  help  they  need;  and  so  having  additional  protections  at- 
tached to  confidentiality  in  that  area  may  actually  propel  people  to 
get  much-needed  help  and  treatment,  and  that  makes  sense  to  me. 

Mrs.  RouKEMA.  Thank  you.  I  appreciate  that. 

Mr.  Chairman,  I  have  concluded  my  questioning.  I  appreciate 
your  answer. 

Chairman  Leach.  [Presiding.]  We  have  no  further  questions.  We 
want  to  thank  you  very  much,  Mrs.  Sebelius. 

Ms.  Sebelius.  Thank  you.  We  do  look  forward  to  continuing  to 
work  with  the  committee  on  this  very  critical  issue.  Thank  you. 

Chairman  Leach.  Thank  you. 

Our  third  panel  is  composed  of  Richard  K.  Harding,  who  is  the 
President-Elect  of  the  American  Psychiatric  Association  and  Vice 
Chair  of  Clinical  Affairs  and  Professor  of  Psychiatrics  and  Pediat- 
rics at  the  University  of  South  Carolina  School  of  Medicine;  my 
former  colleague,  Mr.  Steve  Bartiett,  who  is  President  of  the  Finan- 
cial Services  Roundtable;  Mr.  Don  Brain,  who  is  President  of 
Lockton  Benefit  Company  of  Kansas  City,  Missouri,  on  behalf  of 
the  Independent  Insurance  Agents  of  America;  Mr.  Robert  H. 
Rheel,  Senior  Vice  President  of  Fireman's  Fund,  on  behalf  of  Amer- 


35 

ican  Insurance  Association;  Edward  L.  Yingling,  Deputy  Executive 
Vice  President  of  the  American  Bankers  Association;  and  Ms. 
Robbie  Meyer,  Senior  Counsel,  American  Council  of  Life  Insurance. 
We  will  begin  in  the  order  of  introduction.  Let  me  welcome  Pro- 
fessor Harding.  Please. 

STATEMENT  OF  DR.  RICHARD  K.  HARDING,  M.D.,  PRESIDENT- 
ELECT, AMERICAN  PSYCHIATRIC  ASSOCIATION,  VICE  CHAIR, 
CLINICAL  AFFAIRS  AND  PROFESSOR  OF  PSYCHIATRICS  AND 
PEDIATRICS,  UNIVERSITY  OF  SOUTH  CAROLINA  SCHOOL  OF 
MEDICINE 

Mr.  Harding.  Thank  you,  Chairman  Leach,  and  thank  you, 
Ranking  Member  LaFalce,  Mrs.  Roukema,  and  other  Members  of 
the  committee  for  this  opportunity  to  testify. 

In  addition  to  being  at  the  University  of  South  Carolina,  I  also 
served  on  the  National  Committee  on  Vital  and  Health  Statistics, 
which  advises  the  U.S.  Secretary  of  HHS  on  medical  privacy  and 
medical  information  issues.  But  I  am  here  today  testifying  as  Presi- 
dent-Elect of  the  American  Psychiatric  Association. 

We  now  face  what  a  bipartisan  national  panel  of  experts  called 
a  privacy  health  crisis.  Many  of  us  would  say  this  represents  some- 
what of  an  understatement.  As  many  of  you  saw  probably  a  month 
or  so  ago  on  the  newsstands,  a  magazine  that  said  we  know  every- 
thing about  you,  because  we  live  today  in  a  21st  Century,  cyber- 
space, high-defmition,  financial  and  health  care  system;  but  we 
also  live  with  medical  privacy  laws  that  are  more  along  the  lines 
of  the  bygone  black-and-white  television  era  of  Marcus  Welby,  M.D. 
While  there  are  some  very  good  corporate  citizens  who  are  volun- 
tarily protecting  patient  privacy,  such  actions  cannot  substitute  for 
statutory  protections  to  ensure  that  all  patients  will  enjoy  needed 
confidentiality  protections. 

Your  efforts,  Mr.  Chairman,  as  well  as  those  of  the  Clinton  Ad- 
ministration and  Mr.  LaFalce,  to  add  needed  privacy  protections  to 
the  Financial  Services  Modernization  Act  is  a  critical,  important 
first  steps;  and  we  strongly  urge  that  you  and  your  colleagues  come 
together  on  a  bipartisan  basis  and  pass  legislation  to  add  privacy 
protections  to  the  financial  modernization  law. 

As  we  consider  this  issue  today,  I  hope  that  each  and  every  one 
of  us  in  the  room  will  think  not  only  of  the  public  policy  issues  in- 
volved, but  also  in  terms  of  our  own  medical  records  and  those  of 
our  family  members.  Medical  records  contain  the  most  sensitive  in- 
formation about  ourselves  and  our  families,  and  as  dedicated  indi- 
viduals in  the  financial  services  are,  I  can  assure  you  that,  as  a  pa- 
tient, I  want  to  make  the  choice  myself  as  to  whether  my  medical 
information  is  disclosed  and  I  want  the  same  thing  for  my  family. 
The  decision  should  not  be  made  for  us  by  a  financial  institution, 
insurance  company,  or  a  bank's  mortgage  lender.  Disclosures  of 
certain  medical  records  information  can  jeopardize  my  career,  our 
careers,  our  friendships,  marriages  and  even  our  health. 

How,  you  might  ask,  can  financial  modernization  law  affect  med- 
ical privacy?  Kind  of  simply  put,  the  1999  financial  law  insurers, 
including  health  and  life  insurers,  can  easily  merge  with  banks  and 
other  financial  companies.  As  a  result  in  these  large  new  holding 
companies,  it  is  easy  for  any  one  of  these  entities  to  disclose  med- 


36 

ical  records  information  to  a  corporate  affiliate  such  as  a  life  insur- 
ance company,  bank,  mortgage  lender,  or  credit  card  issuer.  While 
I  have  no  doubt  that  the  new  law  will  produce  many  benefits,  we 
cannot  ignore  these  privacy  issues. 

In  addition  to  the  importance  of  privacy  and  consumer  trans- 
actions in  our  personal  and  professional  lives,  patient  privacy  is 
needed  for  physicians  to  provide  the  highest  quality  of  care.  It  is 
often  forgotten  that  doctor-patient  confidentiality  is  an  essential 
element  for  effective  medical  treatment.  Without  this  high  level  of 
patient  trust,  many  people  will  be  deterred  from  seeking  needed 
health  care  and  for  making  a  full  and  frank  disclosure  of  informa- 
tion needed  for  this  treatment.  This  is  particularly  true  in  psy- 
chiatric care. 

In  1996,  the  Supreme  Court,  in  the  Jaffe  v.  Redmond  decision, 
mental  health  information  was  decided  to  be  so  sensitive  that  addi- 
tional privacy  protections  are  needed  for  psychiatric  treatment.  The 
Court  held  that,  "Effective  psychotherapy  depends  upon  the  atmos- 
phere of  confidence  and  trust,  and  for  this  reason,  the  mere  possi- 
bility of  disclosure  may  impede  the  development  of  the  confidential 
relationship  necessary  for  successful  treatment."  We  also  were 
pleased  with  the  1999  U.S.  Surgeon  General's  report  on  mental 
health  research,  and  he  reached  a  similar  conclusion. 

H.R.  4585  establishes  a  key  principle  for  protecting  the  medical 
records  held  by  financial  services  companies.  The  legislation  would 
create  a  general  rule,  allowing  patients  to  choose  if  their  medical 
records  will  be  disclosed  to  an  affiliate  company  or  nonaffiliated 
third  parties.  In  these  cases,  companies  would  need  the  express 
written  consent  of  the  patient  before  disclosing  medical  records. 

We  strongly  support  this  patient  consent  rule.  I  am  equally  en- 
thusiastic about  the  bill's  general  rule  ensuring  the  patient's  men- 
tal health  records  not  be  disclosed  without  the  patient's  separate 
and  specific  consent. 

I  do  believe  there  needs  to  be  further  discussion  on  the  provisions 
implementing  these  general  rules.  No  one  wants  the  exceptions  to 
the  rule  to  swallow  the  rule.  Yet,  as  currently  drafted,  do  these  pro- 
visions ensure  that  in  the  routine  course  of  business,  patient  con- 
sent will  be  voluntary  and  noncoerced?  This  remains  unclear.  Like- 
wise, the  Secretary  is  now  given  new  authority  to  create  additional 
exceptions. 

We  look  forward  to  working  on  these  issues  with  you  and  your 
staff  so  the  consumers  in  the  real  world  enjoy  meaningful  new  pro- 
tections. Thank  you  for  this  opportunity  to  testify. 

[The  prepared  statement  of  Dr.  Richard  K.  Harding  M.D.,  can  be 
found  on  page  150  in  the  appendix.] 

Chairman  Leach.  Thank  you  very  much,  Professor  Harding. 

Congressman  Bartlett. 

STATEMENT  OF  HON.  STEVEN  BARTLETT,  PRESIDENT, 
FINANCL\L  SERVICES  ROUNDTABLE 

Mr.  Bartlett.  Mr.  Chairman,  Madam  Chairwoman,  Members  of 
the  committee,  I  appreciate  the  chance  to  be  here. 

The  Financial  Services  Roundtable,  as  you  know,  is  a  national 
association  of  100  of  the  Nation's  largest  integrated  financial  serv- 


37 

ices  firms,  and  as  such,  our  member  companies  engage  in  banking, 
securities,  insurance  and  other  financial  services  activities. 

Mr.  Chairman,  I  am  here  to  support  your  legislation,  the  purpose 
of  the  legislation,  and  to  encourage  you  in  this  process.  The  Round- 
table  believes  that  protecting  the  confidentiality  of  health  informa- 
tion that  is  in  the  possession  of  a  financial  institution  is  a  matter 
that  merits  a  uniform  national  policy.  We  supported  similar  legisla- 
tion within  Gramm-Leach-Bliley  last  year.  We  were  disappointed 
when  that  legislation  was  deleted  for  reasons  which  we  don't  un- 
derstand and,  Mr.  Chairman,  we  commend  you  on  your  leadership 
and  consistency  in  promoting  medical  privacy.  We  support  that  leg- 
islation today,  and  we  would  support  it  in  the  future  if  it  comes  up 
in  the  future. 

I  want  to  say  at  the  outset  of  this  statement  that  the  member 
companies  that  I  represent — and  so  far  as  I  know,  most  providers 
of  financial  services  do  not  use  or  disclose  health  information  de- 
rived from  their  customers  other  than  for  medical  reasons  or  as 
otherwise  intended  by  their  customers.  In  other  words,  this  issue 
is,  at  best,  a  potential  loophole  in  our  privacy  laws,  but  it  has  quite 
a  high  emotional  impact;  and  so  even  as  a  potential  loophole,  we 
believe  it  ought  to  be  closed. 

Mr.  Chairman,  overall,  the  members  of  the  Roundtable  believe 
that  on  the  overall  issue  of  sharing  information,  that  the  sharing 
of  consumer  information,  in  general,  with  affiliates  and  third  par- 
ties can  and  generally  does  benefit  consumers  of  financial  services. 
Information-sharing  between  affiliates  can  permit,  and  with  out- 
side third  parties  can  permit,  an  integrated  firm  to  structure  prod- 
ucts and  services  that  meet  a  customer's  specific  needs.  We  sup- 
port, therefore,  Gramm-Leach-Blileys  privacy  protections,  because 
it  provides  for  both;  the  consumer  benefits  from  appropriate  infor- 
mation-sharing as  well  as  protecting  customer  confidence. 

However,  we  think  that  medical  privacy  is  in  a  whole  different 
category,  that  medical  information  is  in  a  separate  category  and 
ought  to  be  dealt  with  in  a  much  stricter  fashion  in  which  the  in- 
formation should  only  be  used  for  medical  purposes,  as  it  was  in- 
tended. 

We  believe  that  medical  institutions  already  have  an  obligation 
to  maintain  the  confidentiality  of  medical  records.  That  is  an  indus- 
try practice.  We  think  it  is  covered  by  a  myriad  of  State  laws,  regu- 
lations, various  voluntary  industry  practices  and  court  cases,  and 
we  think  that  what  is  called  for  here  is  a  uniform  national  policy. 

Mr.  Chairman,  having  expressed  my  support  for  the  bill  in  its 
proposed  form,  as  well  as  in  its  purpose,  the  bill  is  not  without 
some  details  that  I  believe  need  some  change.  We  have  worked 
with  the  member  companies  of  all  kinds  of  financial  institutions, 
and  we  cite  in  our  testimony  a  number  of  changes,  some  of  which 
are  highly  significant,  that  I  would  put  in  the  must-change  cat- 
egory for  this  legislation  to  work. 

Number  one  is,  in  Gramm-Leach-Bliley  there  are  uniform  excep- 
tions to  the  confidentiality,  and  we  think  that  those  exceptions 
ought  to  be  mirrored  in  medical  privacy.  First,  and  probably  most 
important  and  the  one  most  significant  part  of  this  whole  legisla- 
tion as  it  is  currently  drafted,  is  that  the  bill,  as  drafted,  would  not 
allow  an  insurance  firm  to  share  information  with  an  insurance 


38 

rating  advisory  organization  or  a  State  insurance  guaranty  fund.  If 
such  information  cannot  be  shared  freely  with  the  rating  organiza- 
tions, then  the  estabUshing  of  rates  is  not  going  to  be  possible. 

Now,  Mr.  Chairman,  perhaps  there  are  some  that  believe  we 
ought  to  eliminate  rating  of  insurance  and  have  one  giant  pool  of 
270  million  Americans.  I  don't  think  that  would  be  the  intent  of 
Congress;  I  don't  think  that  would  be  the  view  of  the  majority  of 
the  American  people.  But  if  there  is  legislation  to  do  that,  we  ought 
to  have  legislation  that  does  that  and  not  do  it  in  a  back  door  way 
through  some  other  topic. 

Second,  the  Gramm-Leach-Bliley  provides  other  exceptions  for 
the  sharing  of  information  with  service  providers  which  ought  to 
continue  in  this  legislation,  and  then  other  Gramm-Leach-Bliley  ex- 
ceptions. Mr.  Chairman,  we  also  believe  that  the  consumers'  access 
to  correct  their  information  has  some  ways,  which  I  suggest  in  my 
written  testimony,  in  which  it  can  be  drafted  in  a  way  that  is  more 
beneficial  to  consumers. 

Next,  we  believe — and  we  have  looked  at  the  mental  health  pro- 
vision. We  think  it  is — we  appreciate  the  intent  of  the  mental 
health  provision,  but  Mr.  Chairman,  I  have  to  say  that  we  believe 
that  this  legislation  is  a  mere  absolute  prohibition  of  the  use  of 
medical  information  either  physical  or  mental  for  uses  that  it 
wasn't  intended  for.  We  think  that  prohibition  ought  to  apply 
equally  to  heart,  lung,  or  mind  and  there  is  no  particular  reason 
that  it  ought  to  be  separate. 

Last,  Mr.  Chairman,  I  would  say  that  we  strongly  believe  there 
is  a  need  for  a  national  standard.  Every  State  has  a  different  law. 
There  are  multiple  laws  in  different  States.  Only  two  States  have 
a  comprehensive  law.  There  are  twelve  States  that  have  model 
laws.  All  the  others  have  a  variety  of  laws,  and  then  you  have  the 
Federal  regulations  on  top  of  that  and  court  cases  on  top  of  that. 

We  think  this  issue  calls  out  for  a  national  standard  and  we 
would  encourage  you  to  include  that  in  the  legislation. 

[The  prepared  statement  of  Hon.  Steven  Bartlett  can  be  found  on 
page  155  in  the  appendix.] 

Chairman  Leach.  Thank  you  very  much. 

Mr.  Brain. 

STATEMENT  OF  DONALD  C.  BRAIN,  JR.,  CPA;  PRESIDENT, 
LOCKTON  benefit  company,  on  behalf  of  the  INDE- 
PENDENT INSURANCE  AGENTS  OF  AMERICA 

Mr.  Brain.  Thank  you,  Mr.  Chairman,  Members  of  the  com- 
mittee. My  name  is  Don  Brain.  I  am  President  of  Lockton  Benefit 
Group.  We  are  the  eleventh  largest  employee  benefits  consulting 
and  brokerage  firm  in  the  country  and  the  nearly  2000  employees 
of  Lockton  Benefit  Group  administer  and  work  with  clients  all  over 
the  United  States  in  their  employee  benefit  programs. 

Today  I  am  appearing  on  behalf  of  the  insurance  agents  and  bro- 
kers, the  nearly  one  million  men  and  women  who  work  in  every 
part  of  the  United  States.  These  professionals  are  represented  by 
the  Independent  Insurance  Agents  of  America,  IIAA,  of  the  Na- 
tional Association  of  Insurance  and  Financial  Advisors,  formerly 
known  as  the  National  Association  of  Life  Underwriters  and  the 
National  Association  of  Professional  Insurance  Agents, 


39 

I  serve  as  the  IIAA's  Governmental  Affairs  Committee  member, 
the  health  care  liaison  to  that  committee.  In  addition  to  my  role  at 
Lockton  Benefit  Group,  many  of  my  associates  are  members  of 
NAIFA  and  the  Association  of  Health  Insurance  Advisors.  NAIFA's 
conference  is  devoted  exclusively  to  health  insurance  and  benefits 
issues.  All  three  associations  represent  health  insurance  profes- 
sionals all  over  the  country. 

The  associations  that  I  am  appearing  on  behalf  of  commend  you 
for  your  leadership  in  bringing  H.R.  4585,  the  Medical  Financial 
Privacy  Act,  to  thas  testimony  today.  We  appreciate  you  holding 
this  hearing  and  allowing  us  to  testify  on  behalf  of  this  legislation. 

Perhaps  there  is  no  more  important  topic  today  in  politics  than 
the  privacy  of  information,  particularly  medical  information.  At  the 
outset  we  appreciate  your  leadership  in  this  area  and  we  appre- 
ciate your  sensitivity  in  working  with  all  three  associations  and 
their  concerns  to  protect  consumers'  privacy  regarding  their  med- 
ical histories. 

The  primary  message  that  I  want  to  relate  to  is  that  we  want 
to  work  with  you  and  Ranking  Member  LaFalce  in  making  sure 
that  this  bill  becomes  the  law  of  the  land.  The  insurance  agents 
fully  support  the  overarching  objective  to  protect  individual  sen- 
sitive health  information  and  your  approach  to  achieving  that  ob- 
jective. At  the  same  time  insurance  agents  need  to  share  informa- 
tion that  they  receive  in  the  normal  course  of  business  and  with 
health  care  and  health  care  providers  in  order  to  provide  a  high 
level  of  service  and  the  employee  benefits  of  health  care  that  we 
all  want  and  need.  Indeed,  the  vast  majority  of  small  businesses  in 
the  United  States  cannot  afford  separate  health  benefits,  adminis- 
tration services  or  human  resource  services  and  rely  on  agents  to 
fill  those  roles  for  their  businesses. 

From  our  perspective  the  only  clarification  that  is  necessary  to 
ensure  that  the  ongoing  administration  of  employee  benefit,  em- 
ployer-sponsored health  benefit  programs  and  Workers'  Compensa- 
tion programs  is  not  disrupted  in  any  way  is  to  specifically  provide 
that  this  information  obtained  in  conjunction  with  the  administra- 
tion of  these  plans  is  not  used  for  any  purpose  other  than  adminis- 
tration or  securing  information  on  a  replacement  plan. 

Historically,  the  agent  system  has  worked,  has  been  the  principal 
method  of  distribution  for  the  life  and  health  industry  in  the 
United  States.  Agents  have  been  the  essential  link  between  the 
consumers  and  the  insurance  company  providing  services  and  prod- 
ucts while  educating  consumers  in  how  to  manage  risks  and  how 
to  make  informed  choices  about  insurance  purchases. 

Dramatic  increases  in  health  costs  over  the  last  decade  have 
caused  the  agents  role  to  become  even  more  important  as  part  of 
the  health  equation.  Agents  fill  roles  in  helping  clients  evaluate 
programs,  educating  them  about  information  they  need  to  make  in- 
formed decisions,  often  making  specific  recommendations  on  pro- 
grams that  are  designed  to  fill  their  needs  and  fit  their  budgets. 
We  work  with  clients  to  ensure  that  accurate  and  complete  infor- 
mation is  available  to  secure  the  lowest  possible  premiums  on  their 
behalf  in  the  marketplace.  We  keep  in  touch  with  them  constantly 
to  review  and  update  periodic  information  and  assist  them  in  com- 
pliance requirements.  We  also  review  claims  information  and  serve 


40 

as  ombudsmen  in  their  dealing  and  associates  dealing  with  insur- 
ance companies.  We  assist  business  owners  in  communicating  ben- 
efit packages  to  their  employees. 

At  the  outset,  IIAA,  NAIFA  and  PIA  share  the  overarching  con- 
cern about  confidentiality  of  medical  information.  Although  H.R, 
4585  would  help  ensure  that  these  confidentiality  objectives  are 
met,  it  must  be  clarified  to  make  clear  that  these  restrictions  are 
not  intended  to  interfere  with  the  provision  of  employer-sponsored 
group  health  plans  or  Workers'  Compensation  programs  in  any 
way. 

Without  these  clarifications  that  we  have  requested,  the  legisla- 
tion would  thus  undoubtedly  serve  to  both  increase  the  costs  of  pro- 
viding health  care  and  reduce  the  number  of  options  that  employ- 
ers would  be  able  to  consider.  This  would  greatly  undermine  the 
level  of  care  that  many  Americans  are  able  to  receive,  and  it  would 
likely  lead  to  a  tremendous  expansion  in  the  number  of  un-  or 
under-insured  Americans. 

In  addition,  many  employers  whose  rates  are  established  based 
on  claims  information  rely  on  agents'  review  of  the  accuracy  of  the 
financial  reports  generated  by  third-party  administrators  and  in- 
surance companies  to  ensure  that  their  claims  information  is  accu- 
rately reported. 

Thank  you. 

[The  prepared  statement  of  Donald  C.  Brain  Jr.  can  be  found  on 
page  159  in  the  appendix.] 

Chairman  Leach.  Thank  you  very  much,  Mr.  Brain. 

Mr.  Rheel. 

STATEMENT  OF  ROBERT  H.  RHEEL,  SENIOR  VICE  PRESIDENT, 
FIREMAN'S  FUND,  ON  BEHALF  OF  THE  AMERICAN  INSUR- 
ANCE ASSOCIATION 

Mr.  Rheel.  Thank  you,  Mr.  Chairman,  and  Members  of  the  com- 
mittee, for  the  opportunity  to  present  Fireman's  Fund  testimony  on 
behalf  of  the  American  Insurance  Association  on  H.R.  4585.  It  is 
my  privilege  to  appear  before  the  committee,  and  I  hope  that  my 
testimony  will  provide  you  with  helpful  information  as  you  move 
forward  with  this  bill. 

I  sit  before  you  today  not  as  an  attorney  or  a  regular  member 
or  an  individual  who  comes  through  this  great  Capitol  of  ours  to 
testify  on  behalf  of  bills.  In  fact,  this  is  the  first  time  that  I  have 
physically  been  in  the  Capitol  and  look  forward  to  future  visits. 

Instead,  my  profession  and  my  trade  is  as  a  business  leader  serv- 
ing the  needs  of  consumers.  I  would  like  to  share  with  you  today 
our  perceptions  of  what  this  bill  means  to  the  services  we  provide 
to  consumers  with  respect  to  Workers'  Compensation  insurance. 
We  all  agree  that  medical  privacy  is  an  important  issue  for  con- 
sumers and  for  those  financial  institutions  that  hold  that  informa- 
tion. However,  I  urge  you  to  take  due  consideration  of  the  uninten- 
tional harm  to  consumers  and  other  groups  that  you  are  seeking 
to  protect.  It  is  our  belief  that  the  broad  sweeping  changes  could 
have  negative  impacts  to  consumers  and  other  groups  with  respect 
to  Worker's  Compensation. 

In  particular,  if  we  look  at  the  basic  objectives  of  Workers'  Com- 
pensation, which  is  to  provide  no  fault  benefits  to  injured  employ- 


41 

ees,  a  safe  workplace,  return  injured  employees  back  to  a  produc- 
tive work  life,  we  believe  this  bill  will  prevent  us  from  serving 
those  needs.  Preventing  legitimate  sharing  of  information  with  em- 
ployees and  medical  vendors  and  affiliates  will  prevent  us  from  es- 
tablishing appropriate  timely  payments  to  injured  employees,  who 
could  not  establish  with  the  employer  the  appropriate  work  condi- 
tion to  return  the  injured  employee,  who  could  not  assist  doctors 
who  are  not  trained  in  occupational  medicine  to  address  medical  in- 
juries as  it  relates  to  occupational  injuries  and  how  to  return  in- 
jured employee  back  to  work,  who  could  not  conduct  appropriate 
Work  Comp  research.  Workers'  Compensation  research  is  an  impor- 
tant element  of  what  we  participate  in  in  order  to  improve  the  sys- 
tem for  all.  We  also  believe  we  cannot  prevent  the  cost  to  con- 
sumers to  increase  from  litigation,  from  fraud,  from  excess  litiga- 
tion as  it  relates  to  medical  information,  and  also  the  cost  of  ad- 
justed claims  would  go  up  with  respect  to  the  undue  burden  of  col- 
lecting additional  paperwork. 

Finally,  to  the  consumer,  we  could  not  provide  the  consumers 
with  information  on  the  cost  for  insurance.  As  for  their  fiduciary 
responsibility  to  pay  premiums  as  relates  to  compensation,  we 
could  not  provide  them  backup  information  with  respect  to  that 
premium.  Nearly  50  percent  of  the  cost  of  insurance  for  Workers' 
Compensation  relates  to  medical  payments.  Not  being  able  to  share 
this  information  with  employers  would  not  give  them  an  oppor- 
tunity to  understand  their  true  costs. 

Again,  we  thank  you  for  the  opportunity  to  testify  today,  and  I 
would  welcome  any  questions  you  may  have. 

[The  prepared  statement  of  Robert  H.  Rheel  can  be  found  on 
page  163  in  the  appendix.] 

Chairman  Leach.  Thank  you  very  much. 

Mr.  Yingling. 

STATEMENT  OF  EDWARD  L.  YINGLING,  DEPUTY  EXECUTIVE 
VICE  PRESIDENT,  AMERICAN  BANKERS  ASSOCIATION 

Mr.  Yingling.  Mr.  Chairman,  thank  you  for  holding  this  hearing 
on  medical  privacy.  Throughout  its  history  the  banking  industry 
has  protected  the  medical  information  of  its  customers.  Our  ap- 
proach is  straightforward.  Medical  information  should  only  be  used 
for  the  purpose  for  which  it  is  provided  and  should  not  be  shared 
without  the  express  consent  of  the  customer. 

Although  limited,  there  are  instances  where  medical  information 
is  relevant.  For  example,  in  small  businesses  where  the  franchise 
value  of  the  firm  hinges  on  one  or  two  individuals,  insurance  on 
these  individuals  might  be  required  for  a  loan.  In  these  cases,  the 
borrower  will  know  what  information  is  required  and  consent  to  its 
acquisition  and  use.  Otherwise,  medical  information  should  not  be 
used. 

On  June  6,  the  ABA,  joined  by  the  Financial  Services  Roundtable 
and  the  Consumer  Bankers  Association,  announced  new  voluntary 
guidelines  on  the  appropriate  use  and  protection  of  information. 
One  of  the  most  important  guidelines  relates  to  medical  informa- 
tion. This  guideline  states,  and  I  quote:  "Medical  information  will 
not  be  shared.  Financial  institutions  recognize  that  when  con- 
sumers provide  medical  information  for  a  specific  purpose  they  do 


42 

not  wish  it  to  be  used  for  other  purposes,  such  as  for  marketing  or 
in  making  a  credit  decision.  If  a  customer  provides  personal  med- 
ical information  to  a  financial  institution,  the  financial  institution 
will  not  disclose  the  information  unless  authorized  by  the  cus- 
tomer." 

This  and  the  other  nine  guidelines  represent  core  values  for  our 
industry.  Last  year,  the  ABA  supported  provisions  on  medical  pri- 
vacy that  were  contained  in  early  versions  of  the  Gramm-Leach- 
Bliley  Act.  We  were  disappointed  that  this  issue  was  not  dealt  with 
in  that  legislation.  Therefore,  the  ABA  supports  the  thrust  behind 
H.R.  4585. 

The  ABA,  however,  has  concerns  in  two  areas.  The  first  relates 
to  process.  While  broad  consensus  may  be  possible  on  a  targeted 
bill  on  medical  information,  the  financial  services  industry  would 
be  strongly  opposed  to  opening  up  the  privacy  provisions  of 
Gramm-Leach-Bliley  on  a  broader  front.  The  provisions  of  Gramm- 
Leach-Bliley  need  an  opportunity  to  work.  The  implementing  regu- 
lations are  complex,  and  I  would  add  that  the  cost  of  compliance 
will  be  huge.  Indeed,  for  your  information,  we  believe  that  it  is  a 
conservative  estimate  that  the  initial  cost  across  all  financial  serv- 
ices firms  will  be  in  excess  of  $1  billion,  with  additional  costs  each 
year. 

The  second  concern  relates  to  some  specific  provisions  in  the  bill, 
particularly  the  subsection  on  consumer  access  to  information.  We 
find  this  provision,  frankly,  totally  unworkable  in  the  real  world. 
We  recognize  it  was  taken  in  large  part  from  the  Administration's 
bill.  Under  the  literal  language  of  the  bill,  an  individual — and  that 
individual  does  not  even  have  to  be  a  current  customer — can  de- 
mand to  see  any  medical  information  that  might  be  anywhere  in 
the  financial  institution,  no  matter  for  what  purpose  it  is  held.  To 
comply  with  such  a  request,  the  institution  would  have  to  ask  em- 
ployees throughout  the  institution  if  they  somehow  had  obtained 
medical  information  about  that  consumer.  While  this  may  not  have 
been  the  intent,  it  is  a  plain  reading  of  the  language. 

Perhaps  there  is  a  misconception  the  financial  institutions  main- 
tain one  master  list  containing  all  information  about  a  consumer. 
This  is  not  the  case,  even  for  small  banks.  Typically,  there  are 
many  lists  developed  under  different  circumstances  or  for  different 
purposes.  Moreover,  information  may  be  kept  in  individual  employ- 
ee's files,  and  never  put  on  any  list  or  on  any  database.  For  exam- 
ple, under  the  bill,  a  bank  would  have  to  go  through  every  check 
written  by  a  consumer  and  every  credit  card  slip  to  see  if  they 
couldn't  find  any  medical  information,  a  process  that  is  not  done 
today  and  a  process  that  is  antithetical  to  the  notion  of  medical  pri- 
vacy. 

In  conclusion,  Mr.  Chairman,  the  ABA  believes  that  medical  in- 
formation should  only  be  used  for  the  purpose  for  which  it  is  pro- 
vided. However,  the  ABA  does  have  concerns  about  the  legislative 
process  going  beyond  medical  privacy  and  about  specific  provisions 
of  the  bill.  We  hope  that  these  concerns  can  be  addressed  by  the 
committee,  and  we  look  forward  to  working  with  the  committee  to 
that  end. 

[The  prepared  statement  of  Edward  L.  Yingling  can  be  found  on 
page  171  in  the  appendix.] 


43 

Chairman  Leach.  Thank  you  very  much. 
Ms.  Meyer. 

STATEMENT  OF  MS.  ROBBIE  MEYER,  SENIOR  COUNSEL, 
AMERICAN  COUNCIL  OF  LIFE  INSURERS 

Ms.  Meyer.  My  name  is  Robbie  Meyer,  and  I  represent  the 
American  Council  of  Life  Insurers,  the  ACLL  The  ACLI  thanks 
you,  Mr.  Chairman,  for  giving  us  the  opportunity  to  testify  before 
you  today  in  connection  with  the  Medical  Financial  Privacy  Protec- 
tion Act,  H.R.  4585.  We  also  commend  you  for  calling  this  hearing 
and  for  sponsoring  this  legislation. 

Life,  disability  income  and  long-term  care  insurers  are  well 
aware  of  the  very  unique  position  and  the  very  unique  responsi- 
bility they  have  regarding  an  individual's  personal  medical  and  fi- 
nancial information.  Toward  this  end,  the  ACLI  board  of  directors 
has  adopted  policy  in  relation  to  the  confidentiality  of  both  medical 
information  and  financial  information. 

Our  policy  principles  acknowledge  the  changing  horizon  of  the  fi- 
nancial marketplace.  We  support  strict  protections  for  medical 
record  confidentiality.  We  support  a  prohibition  on  an  insurer  shar- 
ing medical  records  with  a  financial  company  such  as  a  bank  for 
determining  eligibility  for  a  loan  or  credit  even  if  the  bank  and  the 
insurer  are  affiliates.  We  also  support  a  prohibition  on  the  sharing 
of  medical  information  for  marketing  purposes. 

Before  I  get  into  the  balance  of  my  prepared  comments,  however, 
I  did  want  to  respond  to  Congressman  Ackerman's  statement  re- 
garding our  sharing  of  information  for  posting  on  the  internet,  and 
wanted  to  state  unequivocally  that  it  is  a  fiction  to  say  that  life  in- 
surance companies  or  any  ACLI  member  companies  share  medical 
information,  encrypted  or  otherwise,  to  be  posted  on  the  internet  in 
order  to  decline  applicants  for  insurance  or  to  cause  them  to  be  de- 
clined for  insurance. 

The  very  nature  of  life,  disability  income  and  long-term  care  in- 
surance involves  very  personal  and  very  confidential  relationships. 
However,  in  order  for  us  to  serve  our  existing  and  our  prospective 
customers,  it  is  essential  for  us  to  be  able  to  obtain  and  use  con- 
sumers' personal,  medical,  as  well  as  their  financial  information  in 
order  to  perform  very  legitimate,  essential  insurance  business  func- 
tions. In  other  words,  life,  disability  income  and  long-term  care  in- 
surers must  be  able  to  use  medical  information  as  well  as  personal 
financial  information  in  order  to  underwrite  prospective  customers' 
applications  for  coverage,  in  order  to  process  their  claims,  and  in 
order  to  perform  essential,  and  related  administrative  functions  in 
connection  with  those  contracts. 

It  is  essential  for  us  to  share  and  disclose  information  in  order 
to  fulfill  legal  and  regulatory  mandates.  In  other  words,  it  is  essen- 
tial for  us  to  disclose  confidential  medical  information  to  State 
guaranty  funds.  They  need  to  be  able  to  have  access  to  individual 
identifiable  health  information  in  order  to  evaluate  health  informa- 
tion claims  that  a  claimant  might  submit  in  connection  with  an  in- 
surance company  that  has  become  insolvent.  Insurance  companies 
also  need  to  make  disclosures  and  to  share  information  with  State 
insurance  departments  and  law  enforcement  agencies  in  order  to 
detect  and  deter  fraud.  Also,  in  connection  with  very  ordinary  basic 


44 

business  transactions  such  as  reinsurance  treaties  or  mergers  and 
acquisitions,  it  is  also  necessary  for  us  to  share  our  customers'  in- 
formation in  order  to  effectuate  those  business  arrangements. 

As  you  know,  Title  V  of  the  Gramm-Leach-Bliley  Act  enacted  the 
strictest  regulatory  framework  ever  enacted  into  law  in  connection 
with  financial  records  privacy.  We  very  much  appreciate  the  fact 
that  your  bill,  Mr.  Chairman,  tracks  the  general  framework  of  Title 
V  in  seeking  to  balance  consumers'  very  legitimate  and  grave  con- 
cerns about  their  confidentiality  rights  with  insurers  need  to  use 
consumers'  medical,  as  well  as  their  financial,  information  in  order 
to  perform  legitimate  insurance  business  functions  which  are  nec- 
essary for  us  to  meet  American  consumers'  insurance  needs.  How- 
ever, we  are  concerned  that  the  bill  fails  to  achieve  this  balance, 
primarily  because  of  its  failure  to  totally  track  the  Gramm-Leach- 
Bliley  framework.  In  other  words,  we  are  concerned  that  the  bill 
does  not  include  the  Gramm-Leach-Bliley  provisions  dealing  with 
the  necessary  sharing  of  information  by  a  financial  institution  with 
the  State  guaranty  associations. 

We  are  also  worried  about  the  fact  that  it  does  not  include  the 
provisions  permitting  financial  institutions  to  share  information 
with  service  providers.  That  concern  arises  because  many  of  our 
member  companies  have  independent  agents  who  are  not  company 
employees,  with  whom  they  would  now  have  difficulty  or  be  hin- 
dered in  having  ordinary  business  communications  about  proposed 
new  insurance  policies,  or  the  best  policies  for  a  particular  indi- 
vidual under  particular  circumstances. 

We  are  also  concerned  by  the  broad  rights  the  bill  grants  con- 
sumers to  access  and  correct  information  held  by  a  financial  insti- 
tution, primarily  because  the  bill  does  not  clearly  protect  from  that 
access  information  that  an  insurer  may  have  collected  in  connec- 
tion with  a  fraud  or  a  material  misrepresentation  investigation  and 
also  materials  collected  in  preparation  for  litigation. 

Finally,  the  ACLI  strongly  supports  the  concepts  of  a  Federal 
preemption.  We  feel  very  strongly  that  individuals  who  live  across 
the  country  should  not  have  to  be  concerned  that  they  have  dif- 
ferent medical  records  privacy  protections  depending  upon  the 
State  in  which  they  live. 

And,  finally,  we  would  like  to  thank  you  once  again,  Mr.  Chair- 
man, for  giving  us  the  opportunity  to  testify. 

[The  prepared  statement  of  Robbie  Meyer  can  be  found  on  page 
182  in  the  appendix.] 

Chairman  Leach.  Thank  you  all  very  much.  Your  testimony  is 
very  helpful  and  certainly  as  we  go  forward  suggestions  of  a  spe- 
cific legislative  nature  we  will  certainly  review  as  well. 

Mrs.  Roukema. 

Mrs.  Roukema.  Thank  you,  Mr.  Chairman.  I  am  not  sure  that  I 
heard  with  specificity  the  explanations  as  to  how  people  or  how  in- 
dividual groups  stood  on  the  subject  of  the  mental  health  disclosure 
question.  But  I  will  say,  putting  it  another  way  to  this  group,  as 
I  have  on  other  occasions  to  business  groups,  there  are  certain 
issues  that  are  becoming  highly  emotional  and  highly  political  that 
have  the  potential  of  creating  a  backlash.  And  I  think  you  are  all 
aware  of  this,  particularly  if  you  have  been  reading  the  press  lately 
or  you  have  been  reading  our  e-mails  lately,  the  potential  of  ere- 


45 

ating  a  backlash — and  you  saw  some  of  that  when  we  got  into  the 
controversy  here  on  the  committee  with  H.R.  10  and  in  conference 
on  H.R.  10.  We  had  to  pull  back  from  some  of  the  things. 

But  the  point  is  that  if  we  can't  come  up  with  a  precise  definition 
in  this  brave  new  world  of  instant  communication,  and  also  these 
new  holding  companies  and  affiliate  relationships,  if  we  don't  come 
to  terms  with  that,  and  get  thinking  minds  on  both  sides  of  the 
issue,  whether  it  is  the  health  care  professionals  or  the  insurance 
groups  or  the  physician  services  together,  we  may  end  up  with 
something  that  all  of  us  are  going  to  wring  our  hands  over.  And 
so  I  didn't  hear  everyone's  comments,  but  I  do  have  to  ask  my  good 
friend  and  former  colleague,  Mr.  Bartlett,  I  am  sorry  that  I  really 
didn't  hear  any  specific  reason  as  to  where  your  group  or  any  of 
the  other  groups  might  object  to  the  mental  health  provision.  It 
seems  to  be  blatantly  obvious  out  there.  And  I  don't  know  what  is 
so  objectionable  to  treating  that  as  a  separate  entity,  as  the  Chair- 
man's bill  proposes.  Mr.  Bartlett,  if  you  want  to  substantiate  some 
of  your  general  comments  or  if  anybody  else  wants  to  add  to  it, 
please. 

Mr.  Bartlett.  Madam  Chairwoman,  we  are  available  to  be  con- 
vinced. Essentially  we  look  at  this  bill  not  as  an  opt-in  bill  or  not 
as  an  affirmative  consent  bill.  We  look  at  this  bill  as  a  prohibition 
against  using  medical  information  other  than  for  purposes  for 
which  it  was  intended.  We  think  that  same  prohibition  ought  to 
apply  to  mental  health  information  or  physical  health  information, 
^d  I  took  a  very  careful  look  at  this,  because  it  is  a  new  approach 
and  it  is  an  approach  that  is  talked  about  and  I  knew  it  would  be 
a  hot  one.  We  couldn't  identify  any  benefit  to  having  a  separate 
consent  for  mental  health  from  physical  health.  We  think  that  it 
is  a  prohibition  against  the  use  of  information.  Ought  to  stay  that 
way.  And  we  couldn't  see  a  benefit  to  adding  a  second  or  a  double 
consent  procedure,  just  didn't — other  than  adding  paperwork  and 
consumer  confusion,  we  couldn't  find  anything  that  someone  would 
want  to  consent  on  for  mental  health  information  that  they 
wouldn't  consent  with  for  physical  health  information. 

We  could  be  convinced.  We  couldn't  find  any  reason  to  do  it. 

Mrs.  ROUKEMA.  We  are  going  to  have  to  convince  you,  I  think. 
But  no,  I  think  the  woman  on  the  previous  panel — I  am  sorry,  her 
name  escapes  me  right  at  the  moment,  but  in  answer  to  my  ques- 
tion did  say  that  the  insurance  group  didn't  have  an  official  posi- 
tion, but  in  her  own  opinion  she  thought  there  was  a  reason  for  a 
separating. 

Dr.  Harding,  do  you  want  to  comment.  I  am  sorry,  I  am  talking 
about  Kathleen  Sebelius,  the  Insurance  Commissioner  in  Kansas. 
Mr.  Harding,  do  you  want  to  amplify  on  your  own  position  in  re- 
sponse to  what  has  been  stated  on  this  panel? 

Mr.  Harding.  Yes,  ma'am.  Only  that  in  an  ideal  world  allergies 
and  psychosis  would  be  handled  the  same.  That  certainly  would  be 
the  goal  of  all  of  us.  But  in  the  real  world,  because  of  prejudices 
or  stigma  or  whatever  you  call  it,  certain  illnesses  have  a  higher 
sensitivity  than  others,  and  until  we  overcome  that  societal  preju- 
dice or  stigma  we  are  going  to  have  to  look  out  for  special  cir- 
cumstances within  the  medical  field  that  needs  special  sensitivity 


46 

protections.  But  hopefully  someday  we  will  have  that  where  it  will 
all  be  the  same. 

Mrs.  ROUKEMA.  Thank  you.  I  appreciate  that.  I  just  hold  out  the 
hand  of  cooperation  here,  because  again  I  want  to  avoid  a  kind  of 
backlash  that  is  going  to  force  us  into  some  very  untenable  posi- 
tions in  the  near  future.  And  we  have — it  is  no  secret  that  there 
is  an  election  coming  up  and  there  are  all  kinds  of  ideological  or 
demagogic  positions  that  can  be  stated  on  these  highly  sensitive 
issues,  and  I  would  like  to  work  with  everyone  on  this  and  come 
to  an  intelligent  and  reasoned  conclusion. 

Thank  you. 

Thank  you,  Mr.  Chairman. 

Chairman  Leach.  Thank  you.  Marge. 

Mr.  Ackerman,  do  you  have  any  questions? 

Mr.  Ackerman.  Yes,  thank  you,  Mr.  Chairman.  I  am  sorry  I  was 
out  of  the  room.  I  am  at  two  hearings  at  the  same  time,  but  I  un- 
derstand that  Ms.  Meyer  made  reference  to  the  question  that  I 
raised  with  the  first  panel.  And  if  I  am  not  mistaken,  what  I  have 
been  advised  is  you  categorically  denied  that  any  such  system  ex- 
ists whatsoever  whereby  the  insurance  companies,  some  insurance 
companies,  at  least  one  insurance  company  does  not  reveal  to  a 
prospective  person  who  has  had  their  medical  exam  what  the  re- 
sults of  that  exam  is,  if  it  is  a  medical  claim,  that  they  have  paid 
for  the  exam  and  therefore  it  is  not  the  property  of  the  consumer, 
turns  the  person  down  for  insurance,  and  then  posts  on  the  com- 
puter for  all  agents  to  know  not  to  rewrite  the  policy  of  that  person 
because  he  tested  positive  for  AIDS  and  the  person  does  not  know 
that.  In  this  particular  case,  the  person  died. 

Ms.  Meyer.  If  that  happened,  that  would  be  absolutely  positively 
contrary  to  ACLI  policy  and  that  of  our  member  companies. 

Mr.  Ackerman.  In  that  case  would  you  reverse  your  policy  and 
support  the  legislation  I  tried  to  introduce  that  would  prevent  that 
from  happening? 

Ms.  Meyer.  I  am  sorry,  I  am  not  familiar  with  your  legislation, 
but  we  would  be  delighted  to  take  a  look  at  it. 

Mr.  Ackerman.  It  will  be  my  intent,  Mr.  Chairman,  to  offer 
hopefully  a  friendly  and  humane  amendment  that  would  say  that 
if  an  insurance  company,  albeit  their  physician  who  pays  for  the 
cost  of  a  person's  exam  and  that  person  is  turned  down,  that  that 
person  is  entitled  to  know  why  he  was  turned  down. 

Ms.  Meyer.  We  absolutely  agree  that  if  someone  is  declined  for 
insurance  coverage  that  they  are  entitled  to  know  the  reason  why. 
A  requirement  to  get  that  information  actually  is  in  the  law  in  the 
sixteen  or  eighteen  States  that  have  enacted  the  old  NAIC  model 
on  privacy.  The  ACLI  has  supported  that  model  for  decades. 

Mr.  Ackerman.  The  reason  for  declining  support  was  given  as  it 
would  be  too  expensive  to  notify  all  these  people  about  their  ill- 
nesses that  caused  them  to  be  turned  down  for  insurance,  albeit 
this  one  was  certainly  a  life  threatening  and  life  taking  incident. 
So  you  are  saying  that  you  would  be  supportive? 

Ms.  Meyer.  I,  as  an  attorney,  would  have  to  look  at  the  words, 
but  we  are  absolutely  strongly  in  support  of  an  individual  being  in- 
formed of  the  reasons  for  any  adverse  underwriting  action  taken  by 
an  insurer. 


47 

Mr.  ACKERMAN.  Would  you  be  willing  to  cooperate  with  us  in  our 
determination  as  to  whether  or  not  it  was  posted  on  the  computer 
system  that  this  particular  person,  when  his  existing  insurance 
was  up,  should  not  be  rewritten  if  he  was  late  in  payment? 

Ms.  Meyer.  This  sounds  like  a  fascinating  case.  A  life  insurance 
policy,  once  it  has  been  issued,  cannot  be  canceled  for  any  reason 
except  for  nonpajonent  of  insurance  claims.  The  only  thing  that  can 
happen  with  the  life  insurance  policy  is  that  premiums  can  actually 
be  decreased  if  an  individual  becomes  more  healthy  after  they  have 
had  a  policy  in  effect. 

Mr.  ACKERMAN.  The  inference  here  is  that  it  was  posted  so  that 
if  this  person's  premium  was  due  on  the  4th  and  it  arrived  on  the 
5th,  he  was  to  have  his  insurance  declined  for  late  payment  and 
should  not  be  extended  the  courtesy  because  of  specific  reasons. 

Ms.  Meyer.  We  would  be  delighted  to  sit  down  and  see  what  has 
happened  here.  This  sounds  like  a  horrible  situation. 

Mr.  ACKERMAN.  It  is,  when  we  get  to  computers  and  people's  pri- 
vate information  and  who  has  control  of  it.  And  I  thank  the  Chair- 
man for  allowing  this  line  of  questions. 

Chairman  Leach.  Thank  you,  Gary. 

Well,  let  me  thank  the  panel.  And  we  appreciate  very  much  their 
testimony.  We  hope  to  work  with  them. 

Oh,  excuse  me.  Mrs.  Biggert.  I  keep  overlooking  you.  I  am  very, 
very  sorry.  I  apologize. 

Mrs.  Biggert.  Thank  you.  I  am  still  here.  At  least  I  am  not  at 
the  kiddie  table,  so  I  am  in  the  front  row.  I  do  have  a  couple  of 
questions  if  I  might. 

Chairman  Leach.  Please,  and  feel  free  to  take  extra  time. 

Mrs.  Biggert.  Thank  you. 

Mr.  Rheel,  based  on  your  professional  experience  in  the  insur- 
ance business,  do  you  know  of  any  instances  of  abuse  by  the  insur- 
ance companies  or  their  business  partners  of  any  access  to  health 
information  at  the  current  time? 

Mr.  Rheel.  I  am  unaware  of  any  abuses  as  it  relates  to  informa- 
tion held  by  insurance  companies.  And  we  take  very  seriously  the 
information  that  we  have  in  our  records  and  do  not  freely  release 
the  information  for  any  unrelated  transaction  or  for  a  need  of  the 
information  to  any  third  party. 

Mrs.  Biggert.  Can  you  tell  me  what  the  practice  of  and  when 
would  insurance  companies  require  health  information  when  con- 
sidering an  application  for  insurance? 

Mr.  Rheel.  From  a  property  and  casualty  standpoint,  medical  in- 
formation that  we  seek  is  generally  aggregate  information.  It  does 
not  pertain  to  an  individual  employee  or  to  the  consumer.  We  make 
decisions  based  on  information  on  the  aggregate  levels  from  a  prop- 
erty and  casualty  standpoint.  That  is  my  field  of  expertise  in  that 
area.  Our  underwriting  is  based  on  risk  conditions,  not  employee 
conditions  as  it  relates  to  the  individual  employee  or  to  the  con- 
sumers themselves. 

Chairman  Leach.  Excuse  me,  Mr.  Rheel,  if  you  could  pull  the 
microphone  a  little  closer  we  would  appreciate  it. 

Mrs.  Biggert.  I  think  I  am  through  with  the  witness.  But  if  I 
could  ask  Dr.  Harding,  are  doctors  and  psychiatrists  required  by 


48 

law  to  protect  patients'  medical  records?  So  how  do  these  records 
get  transferred  to  the  third  party,  such  as  an  insurance  company? 

Mr.  Harding.  Well,  insurance  companies  often  ask  for  details  of 
medical  care  as  part  of  the  payment  for  those  cares.  There  is  a 
third  party  involved  between  a  physician  and  a  patient  and  an  in- 
surance company.  So  they  ask  for  varying  amounts  of  information 
from  the  physician  with  the  consent  of  the  patient  for  means  of 
payment.  So  they  then  receive  from  me  in  my  case  information,  the 
smallest  amount  that  I  can  get  away  with  giving  them  actually,  in- 
formation that  they  will  then  use  to  determine  if  the  treatment  was 
appropriate  and  whether  they  should  pay  the  amount  of  money 
that  I  ask  them  to.  That  is  how  they  obtain  it  originally,  although 
in  a  hospital  setting  it  is  a  little  different,  but  there  it  is  usually 
with  the  consent  of  the  patient  that  it  goes  to  the  insurance  com- 
pany. 

Mrs.  BiGGERT.  So  really  if  someone  had  no  insurance,  then  there 
probably  would  be  not  any  or,  for  example,  a  bank  that  would  not 
have  access  to  any? 

Mr.  Harding.  Oh,  but  I  think  that  is  where  we  start  getting  into 
some  interesting  areas  because,  for  instance,  if  a  patient  came  in 
to  see  me  and  paid  cash,  didn't  have  insurance,  and  I  gave  them 
a  prescription,  they  went  down  to  their  local  pharmacy,  handed  in 
the  prescription  and  paid  that  prescription  with  a  Visa  card,  all  of 
a  sudden  the  record  of  what  they  bought  would  be  in  the  financial 
system.  Now,  it  doesn't  take  a  rocket  scientist  to  know  that  if  that 
prescription  is  for  Prozac  that  might  be  a  psychotropic  medication 
that  many  people  are  aware  of  and  that  would  start  a  process  that 
potentially  has  concerns  for  that  patient's  medical  privacy,  and 
which  was  not  intended  by  any  means,  but  it  is  part  of  the  finan- 
cial system. 

Mrs.  BiGGERT.  Mr.  Bartlett,  you  look  like  you  might  want  to  say 
something. 

Mr.  Bartlett.  Technically  or  potentially,  as  I  said  in  my  testi- 
mony, potentially  that  could  be  true,  but  in  reality  it  is  not.  No  fi- 
nancial institutions  collect  such  sort  of  information.  We  believe 
they  are  prohibited  by  all  manner  of  laws,  court  cases  and  regula- 
tions from  collecting  it.  No  financial  institutions  uses  such  informa- 
tion or  even  collects  it.  So  while  this  is  good  legislation  to  close  a 
potential  loophole,  I  do  want  the  record  to  reflect  that  such  a  situa- 
tion so  far  as  I  can  tell  doesn't  happen,  it  is  not  likely  to  happen, 
and  this  legislation  would  help  to  prohibit  such  a  thing  from  hap- 
pening, but  it  doesn't  happen  today,  and  wouldn't  happen  in  the  fu- 
ture, I  don't  believe. 

Mrs.  BiGGERT.  OK.  And  you  also  said  in  your  testimony  that  the 
issue  of  including  an  exception  for  sharing  medical  information  to 
permit  joint  marketing  of  products — what  is  a  joint  marketing  of 
products? 

Mr.  Bartlett.  I  added  several  exceptions  and  my  exceptions 
tracked  Gramm-Leach-Bliley,  which  had  quite  good  exceptions.  The 
most  important  exception  was  for  rating  and  State  guaranty  funds, 
as  has  been  testified  here.  We  think  that  is  absolutely  essential. 
Otherwise  you  just  abolish  the  whole  system  of  rating  tools. 

In  terms  of  joint  marketing,  again  that  was  in  Gramm-Leach-Bli- 
ley. We  think  that  there  are  particularly  service  providers,  agents. 


49 

independent  agents  that  need  to  have  information  as  an  extension 
of  the  company,  and  that  is  again  using  the  medical  information  for 
the  purposes  for  which  it  was  intended,  not  for  any  other  purposes. 
So  we  would  encourage  the  committee  for  the  purposes  of  the  ex- 
ceptions to  track  Gramm-Leach-Bliley  and  then  the  prohibitions  is 
an  additional  and  much  stronger  set  of  prohibitions  of  the  use  of 
the  information.  But  the  exceptions  should  track  Gramm-Leach-Bli- 
ley. 

Mrs.  BiGGERT.  And  then  just  a  general  question,  we  have  been 
looking  at  this  privacy  issue  and  protecting  patient's  medical 
records,  and  this  was  put  on  to  the  Gramm-Leach-Bliley  bill,  but 
should  we  really  take  a  look  at  this  just  as  comprehensive  legisla- 
tion on  the  subject  rather  than  just  legislation  dealing  only  with  fi- 
nancial institutions? 

Mr.  Rheel.  One  of  the  issues  facing  this  committee  is  the  com- 
plexity of  products  of  financial  institutions  in  a  new  brave  world — 
as  we  have  been  talking  this  morning  about — is  that  there  are 
many  products.  The  impact  of  medical  information  has  different 
issues  with  different  products.  We  talked  about  life  insurance,  and 
my  field  of  expertise  is  Workers'  Compensation.  The  impact  of  med- 
ical information  is  critical  to  Workers'  Compensation  providing  the 
service  to  the  consumer. 

So  I  would  urge  this  committee  to  look  at  the  various  components 
of  the  financial  institution  and  address  the  issues  that  you  are  con- 
cerned about  specifically,  not  broadly  over  the  entire  financial  insti- 
tution. We  talked  a  little  bit  about  the  rating  organizations,  the 
need  for  information  for  them  to  create  rates,  research  organiza- 
tions needing  information  to  conduct  research  to  improve  the  sys- 
tem. So  there  is  a  particular  need  for  every  product  and  the  use 
of  financial  information,  who  uses  it,  and  the  purpose  of  that  infor- 
mation changes  product  by  product. 

Mrs.  BiGGERT.  So  you  would  agree  with  what  was  maybe  sug- 
gested in  one  of  the  earlier  panels  that  we  should  look  at  Workers' 
Compensation  as  perhaps  an  exception  to  this  because  of  the  opt- 
in  provision? 

Mr.  Rheel.  Yes,  I  would. 

Mrs.  BiGGERT.  Opt-out  provision. 

Mr.  Rheel.  I  would  encourage  the  committee  to  consider  excep- 
tions like  Workers'  Compensation  because  of  those  needs.  What  we 
deal  with  in  the  property  casualty  world  is  the  third  parties,  and 
third  party  actions.  They  are  making  their  medical  condition  an 
issue.  It  is  an  issue  that  they  are  bringing  claims  to  consumers  and 
looking  to  their  financial  institutions,  in  this  case  insurance  compa- 
nies, to  protect.  In  order  for  us  to  do  our  responsibility  to  protect 
those  consumers,  we  need  that  information.  As  a  standard  practice, 
we  provide  that  information  to  medical  vendors  who  provide  exper- 
tise back  to  the  process  to  ensure  that  we  are  providing  the  best 
care  to  injured  employees  and  also  the  best  services  to  our  con- 
sumers. 

Mrs.  BiGGERT.  Thank  you. 

Thank  you,  Mr.  Chairman,  for  your  indulgence. 

Chairman  Leach.  Well,  thank  you  very  much,  Mrs.  Biggert. 

I  would  like  to  thank  the  panel.  In  particular,  I  want  to  thank 
Professor  Harding.  The  reason  I  say  this  is  you  come  to  this  table 


50 

with  some  limitations  on  free  speech  that  the  rest  do  not  have.  And 
you  might  wonder  why  I  say  that.  A  couple  of  decades  ago  the  offi- 
cers of  your  association  visited  me,  advocating  or  opposing  some 
bill  on  Capitol  Hill,  I  forget  what  it  was,  and  I  uttered  the  opinion 
that  I  thought  a  former  high  ranking  public  official,  in  fact  a  Presi- 
dent, had  exhibited  certain  signs  of  what  I  would  describe  as  para- 
noia. I  asked  them  if  they  agreed  with  me.  And  they  looked  at  each 
other  and  the  president  of  your  association  then  responded,  "Well, 
it  is  this  way.  Congressman,  it  is  inappropriate  for  a  psychiatrist 
to  comment  on  someone  he  hasn't  examined,  and  if  he  has  exam- 
ined them,  it  is  inappropriate  for  him  to  comment  without  the  per- 
son's permission.  Aiid  in  any  regard,  our  licenses  would  be  lifted 
if  we  said  something  exhibiting  a  psychiatric  judgment  about  a 
public  official." 

So  it  strikes  me  you  have  first  amendment  constraints  that  no 
one  else  in  the  country  has.  So  I  am  particularly  appreciative  of 
your  coming,  but  I  maintain  the  view  that  this  particular  President 
was  crazy. 

Mr.  Harding.  I  won't  ask  you  which  one. 

Chairman  Leach.  But  I  can  say  that  as  a  non-trained,  non-sub- 
tle, non-informed  individual.  Anyway,  thank  you  all. 

Our  next  panel,  we  have  Nicole  Beason,  Esther  Peterson  Fellow 
at  the  Consumers  Union;  A.G.  Breitenstein,  who  is  Chief  Privacy 
Officer  of  ChoosingHealth.com;  Evan  Hendricks,  Editor  and  Pub- 
lisher of  Privacy  Times;  Mr.  Edmund  Mierzwinski,  who  is  Con- 
sumer Program  Director  of  the  United  States  Public  Interest  Re- 
search Group;  Joy  L.  Pritts,  who  is  Senior  Counsel,  Health  Privacy 
Group  of  Greorgetown  University;  and  Mr.  Ronald  Welch,  who  is  an 
Attorney  with  Zuckerman,  Spaeder,  Goldstein,  Taylor  and  Kolker, 
LLP,  on  behalf  of  the  American  Civil  Liberties  Union. 

And  we  will  begin  with  you,  Ms.  Beason. 

STATEMENT  OF  NICOLE  BEASON,  ESTHER  PETERSON 
FELLOW,  WASfflNGTON  OFFICE,  CONSUMERS  UNION 

Ms.  Beason.  Mr.  Chairman 

Chairman  Leach.  Excuse  me,  if  I  could  ask,  if  you  pull  the 
microphone  quite  close  I  think  it  is  a  little  easier. 

Ms.  Beason.  Is  this  good? 

Chairman  Leach.  Yes. 

Ms.  Beason.  Mr.  Chairman,  Congressman  LaFalce,  Members  of 
the  committee,  my  name  is  Nicole  Beason,  and  I  am  the  Esther  Pe- 
terson Fellow  at  Consumers  Union.  As  you  may  know,  Consumers 
Union  is  a  nonprofit  publisher  of  Consumer  Reports,  and  we  are 
here  today  because  we  believe  that  protecting  the  consumer's  med- 
ical privacy  is  a  very  important  issue.  What  is  at  stake  here? 
Strangers  knowing  that  at  a  young  age  you  had  a  hernia,  as  a 
teenager  you  developed  asthma  and  now  as  an  adult  you  recently 
had  bypass  surgery.  You  should  be  able  to  have  your  health 
checked  and  treated  without  having  your  privacy  violated. 

Consumers  Union  has  identified  certain  privacy  principles  that 
we  believe  should  be  included  in  any  legislation  intended  to  protect 
consumer  privacy.  First,  every  consumer  has  a  privacy  interest  in 
individually  identifiable  health  information. 


51 

Second,  waivers  of  an  individual's  privacy  interest  should  be 
made  clearly  and  conspicuously  and  limited  to  scope  to  specific  pur- 
poses. In  fact,  we  have  consistently  advocated  for  an  opt-in  ap- 
proach to  the  release  of  personal  medical  or  physician  information. 
Opt-in  simply  means  that  the  institution  must  get  the  consumer's 
permission  before  sharing  information  about  that  consumer. 

Third,  financial  institutions,  health  care  providers  and  other 
holders  of  health  information  have  a  duty  to  maintain  the  confiden- 
tiality of  personal  health  information  and  should  be  held  account- 
able for  protecting  an  individual's  privacy  interest.  Personal  health 
information  provided  to  a  financial  institution  by  a  consumer 
should  not  be  transmitted  to  anyone  else,  including  affiliates  and 
third  parties,  without  the  consumer's  clear  awareness  and  consent. 

Consumers  should  generally  have  the  right  to  access  and  ensure 
the  accuracy  of  their  own  health  information.  Consumers  should 
also  have  the  ability  to  amend  and  correct  inaccurate  information. 
Inaccurate  information  could  have  serious  consequences  should  a 
consumer  consent  to  sharing  their  health  information.  For  example, 
they  could  be  denied  health  coverage  because  their  records  falsely 
indicate  that  they  have  a  poor  medical  history.  Therefore,  a  mecha- 
nism needs  to  be  implemented  to  ensure  that  consumers  will  be 
able  to  amend  and  or  correct  their  information. 

They  also  need  to  be  given  notice  when  and  a  reason  for  why 
such  requests  for  amendment  and  correction  are  denied  by  the  fi- 
nancial institution.  It  is  also  important  that  consumers  are  given 
the  identity  and  referred  to  the  original  creator  of  the  inaccurate 
information.  The  Fair  Credit  Reporting  Act  can  serve  as  a  model 
for  the  regulators  to  use  to  implement  this  requirement. 

Specifically,  we  are  concerned  that  one  of  the  parties  who  has  a 
vested  interest  in  this  information  is  not  allowed  to  make  a  blanket 
determination  as  to  whether  the  disputed  information  is  included 
or  shared  with  other  parties.  The  financial  institution  or  the  gener- 
ator of  this  information  should  not  automatically  deny  a  consumer's 
request  to  amend  and  correct  medical  information.  Therefore,  a  dis- 
pute process  like  the  one  used  under  FCHA  should  be  adopted. 

Because  H.R.  4585  addresses  these  issues.  Consumers  Union 
supports  Chairman  Leach's  legislation,  with  some  suggestions  to 
strengthen  this  bill.  The  concerns  about  H.R.  4585  that  we  share 
with  other  consumer  advocates,  the  extensions,  if  any,  should  be 
limited.  The  bill  should  not  contain  any  loopholes  that  would  allow 
financial  institutions  to  share  consumers'  medical  information 
counter  to  the  intent  of  this  bill.  A  financial  institution  should  not 
be  allowed  to  use  health  information  about  a  consumer  without  the 
consumer's  consent,  not  just  for  decisions  regarding  the  loan  or 
credit  for  any  product  or  service  offered  by  the  institution  to  the 
consumer. 

While  it  is  important  to  focus  on  medical  privacy,  there  are  other 
components  of  privacy  that  consumers  care  about.  We  urge  this 
committee  to  not  just  take  up  this  narrow  aspect,  but  to  look  at  a 
broader  privacy  package. 

Mr.  Chairman,  once  again  thank  you  for  the  opportunity  to  tes- 
tify before  the  committee  today.  I  would  be  happy  to  answer  any 
questions  the  committee  may  have. 


52 

[The  prepared  statement  of  Nicole  Beason  can  be  found  on  page 
196  in  the  appendix.] 
Chairman  Leach.  Well,  thank  you  very  much,  Ms.  Beason. 
Ms.  A.G.  Breitenstein. 

STATEMENT  OF  A.G.  BREITENSTEIN,  JD,  MPH,  CHIEF  PRIVACY 
OFFICER,  CHOOSING.HEALTH.COM 

Ms.  Breitenstein.  Chairman  Leach,  Representative  LaFalce, 
thank  you  for  inviting  me  here  today.  My  name  is  A.G. 
Breitenstein.  I  am  one  of  the  first  Chief  Privacy  Officers  of  an 
internet  startup.  ChoosingHealth.com  is  the  service  which  allows 
patients  to  communicate  with  each  other  and  with  their  providers 
and  hospitals  and  researchers  without  having  to  give  up  their  pri- 
vacy. We  are  dedicated  to  the  notion  that  people's  information  be- 
longs to  them,  and  I  want  to  take  this  time  to  thank  you  for  taking 
up  this  issue. 

A  Wall  Street  Journal  poll  recently  found  that  Americans  con- 
sider the  issue  of  health  privacy  to  be  more  threatening  than  do- 
mestic terrorism.  A  Harris  poll  has  also  found  that  privacy  is  the 
number  one  reason  that  Americans  are  staying  off  the  internet. 

The  urgency  of  this  problem  is  very,  very  clear,  Nancy  Dickey, 
the  past  President  of  AMA,  has  stated  the  following,  "These  days 
insurance  companies  don't  want  summaries,  they  want  the  whole 
record.  So  I  think  twice  about  what  I  include,  and  then  I  hope  I 
can  remember  it  all.  If  my  patients  fear  that  what  they  tell  me 
could  come  back  to  haunt  them,  they  tend  to  be  less  forthright.  I 
may  come  up  with  the  wrong  treatment,  because  I  was  chasing  the 
wrong  clues." 

And  Nancy  Dickey  is  not  alone.  I  myself  counseled  a  doctor 
whose  wife  was  an  OB/GYN  and  he  told  me  that  his  wife  routinely 
doodled  in  the  margins  of  her  record.  The  reason  was  that  she  used 
these  doodles  to  code  messages  to  herself  about  her  patient's  med- 
ical histories.  She  felt  that  this  was  important  to  do  to  protect  the 
privacy  of  her  patient's  records,  but  feared  that  if  anything  ever 
happened  to  her,  her  patient's  records  would  be  impossible  to  read. 

I  also  want  to  read  you  a  quick  quote  from  a  pediatrician  I 
worked  with.  He  said  to  me,  "Insurance  companies  are  requesting 
as  part  of  well  visits  to  ask  and  document,  which  I  have  no  problem 
with,  children  questions,  such  as  "Do  you  have  sex?"  "Do  you  mas- 
turbate?" "How  are  your  relationships  with  your  parents  and 
friends?"  "Have  you  had  an  abortion?"  And  many  others.  As  I  said, 
I  have  no  problem  with  asking  these  questions.  What  disturbs  me 
is  the  access  that  insurance  companies  have  to  that  information 
and  therefore  anybody  else  that  wants  or  can  legally  obtain  those 
records.  We  physicians  are  in  a  Catch-22.  If  we  document,  patient 
confidentiality  can  be  destroyed.  If  we  don't  document,  we  are  clas- 
sified as  bad  physicians.  As  a  pediatrician,  I  am  very  concerned 
about  how  this  information  available  to  third  parties  will  affect 
these  children's  futures." 

Basically  patients  are  put  in  a  position  of  having  to  make  a 
choice  between  their  health  and  their  privacy.  I  want  to  support 
you  in  this  legislation.  This  legislation  is  a  very  good  first  step.  If 
there  is  one  thought  that  I  can  leave  you  with  in  terms  of  my  testi- 
mony, it  is  this:  Personal  information,  particularly  health  informa- 


53 

tion,  is  the  new  cash  in  this  digital  age.  Your  efforts  to  protect  pri- 
vacy of  personal  health  information  will  set  the  terms  that  allow 
patients  to  negotiate  on  a  level  playing  field  for  the  value  of  this 
new  currency.  Without  adequate  protections  individuals  will  be 
robbed  of  a  valuable  resource  and  will  be  reluctant  to  purchase  the 
goods  and  services  they  need  on  the  internet. 

What  do  I  mean  by  this?  People  get  "free"  stuff,  and  I  put  free 
in  quotes,  in  our  new  digital  economy,  because  they  are  willing  to 
give  up  certain  aspects  of  personal  information  in  exchange  for 
this.  This  is  very  true  on  the  internet.  Most  websites  have  as  their 
primary  revenue  model  some  plan  to  sell  this  personal  information 
collected,  and  personal  health  information  is  the  most  valuable  of 
all  these  categories  of  information. 

If  I,  as  a  bank,  can  collect  and  sell  a  list  of  people  who  have  asth- 
ma to  unscrupulous  researcher  or  a  direct  marketer,  I  can  make 
millions  of  dollars. 

How  should  this  affect  your  work  on  H.R.  4585?  Privacy  legisla- 
tion will  be  the  backdrop  against  which  the  emerging  digital  econ- 
omy will  be  set.  It  will  have  a  profound  influence  on  the  ability  and 
right  of  consumers  to  negotiate  the  value  of  their  personal  informa- 
tion in  exchange  for  goods  and  services.  You  are  in  effect  creating 
a  new  currency  of  sorts. 

There  are  a  few  suggestions  I  would  like  to  make  to  this  end. 
The  basic  rule  of  consent  must  be  clear  and  unambiguous  with  few 
exceptions,  and  this  consent  should  be  voluntary.  Health  informa- 
tion collected  for  one  purpose  cannot  be  used  for  another  purpose 
without  consent.  I  was  particularly  troubled  by  the  exception  for 
joint  marketing  that  is  in  the  legislation  now.  It  seems  to  me  that 
this  is  a  loophole  for  sort  of  reconfiguring  the  marketing  schemes 
that  people  are  protesting  and  as  long  as  it  is  done  along  with  the 
entity  that  first  collected  the  information,  this  seems  like  a  very 
large  loophole.  There  are  also 

Mr.  LaFalce.  Excuse  me.  Where  is  that  last  concern  expressed 
in  your  testimony?  I  was  following  you  on  point  two  and  I  didn't 
follow  you  when  you  were  underscoring  a  point. 

Ms.  Breitenstein.  It  is  not  in  my  written  testimony,  but  I  would 
be  happy  to  amend  it  for  your  purposes. 

Mr.  LaFalce.  Please  do  so. 

Ms.  Breitenstein.  As  the  banking  insurance  functions  begin  to 
merge  under  this  Act,  it  is  going  to  be  exceedingly 

Chairman  Leach.  For  point  of  clarification,  the  concern  you  have 
in  joint  marketing  is  not  in  the  bill.  It  is  advocating 

Ms.  Breitenstein.  In  the  original,  correct. 

Chairman  Leach.  But  not  in  H.R.  4585? 

Ms.  Breitenstein.  Correct,  it  is  in  the  exceptions  that  are  re- 
ferred to  in  H.R.  4585. 

Chairman  Leach.  So  this  is  a  concern  about  an  advocacy  of  posi- 
tion that  another  panelist  has  suggested,  but  not  a  concern  about 
the  bill  itself,  is  that  correct? 

Ms.  Breitenstein.  Correct.  It  is  a  concern  for  pulling  those  ex- 
ceptions into  this  bill.  Does  that  make  sense? 

Chairman  Leach.  Sure. 

Ms.  Breitenstein.  Great. 


54 

As  banking  and  information  functions  begin  to  merge,  it  is  going 
to  be  exceedingly  important  to  make  sure  that  the  firewall  between 
these  areas  is  enforced. 

Finally,  individuals  must  have  a  right  of  action  to  enforce  their 
claims  on  their  own  personal  health  information.  Data  is  property. 
And  if  there  is  one  thing  we  have  historically  protected  in  this 
country,  it  is  the  right  of  an  individual  to  protect  their  property. 
Failure  to  do  so  will  not  only  adversely  affect  health  care,  but  will 
set  a  dangerous  new  precedent  in  this  information  era. 

Many  of  my  esteemed  colleagues  have  testified  today  that  these 
protections  are  going  to  drive  up  costs  and  stymie  economic  growth, 
I  want  to  challenge  this  argument  head  on.  Personal  information 
is  a  resource.  It  has  value  as  our  economy  shifts  to  an  information 
based  system.  It  will  become  one  of  the  most  valuable  resources  in 
the  world.  If  we  rob  individuals  of  their  data,  we  will  render  them 
penniless  and  powerless  to  participate  freely  and  fairly  in  this  new 
market.  We  will  first  feel  this  in  rising  health  care  costs,  owing  to 
an  eroded  doctor-patient  relationship.  We  will  then  feel  the  effects 
of  when  people  offer  erroneous  information  or  choose  not  to  partici- 
pate at  all. 

I  want  to  thank  you  and  offer  any  suggestions  I  can  for  improv- 
ing this. 

[The  prepared  statement  of  A.G.  Breitenstein  can  be  found  on 
page  202  in  the  appendix.] 

Chairman  Leach.  Thank  you  very  much.  Doctor. 

Mr.  Hendricks. 

STATEMENT  OF  EVAN  HENDRICKS,  EDITOR  AND  PUBLISHER, 

"PRIVACY  TIMES" 

Mr.  Hendricks.  Thank  you,  Mr.  Chairman.  I  am  Evan  Hen- 
dricks, editor  and  publisher  of  Privacy  Times.  I  have  been  reporting 
on  and  following  privacy  developments  in  Washington  since  I  ar- 
rived here  in  1977.  I  am  in  my  twentieth  year  of  publishing  Privacy 
Times.  There  is  always  a  tendency  to  take  good  news  for  granted, 
and  I  don't  want  to  do  that.  I  think  the  good  news  here  is  you,  Mr. 
Chairman,  and  the  Ranking  Minority  Member.  You  have  always 
been  willing  to  give  privacy  a  fair  hearing.  You  are  the  first  one 
to  tackle  the  tough  information  of  information  brokers.  With  the 
help  of  Mr.  LaFalce,  the  two  of  you  have  taken  a  bipartisan  ap- 
proach to  privacy  and  I  have  seen  the  benefits  for  i^ericans  in 
that,  and  I  am  glad  to  see  that  continuing  today. 

I  think  the  bad  news  is  that  there  is  not  another  committee 
Chairman  that  followed  the  example  that  you  set.  I  hope  that  that 
will  be  changing  as  it  becomes  clearer  to  Washington  how  impor- 
tant privacy  is  to  the  American  people. 

I  think  what  we  have  in  front  of  us  today  is  a  good  bill.  The  core 
of  this  bill  is  good,  because  it  is  based  on  affirmative,  informed  con- 
sent, which  should  be  the  baseline  of  all  privacy  law  and  informa- 
tion usage  in  the  United  States.  And  I  think  it  is  only  a  matter  of 
years  before  we  get  that  kind  of  privacy  law  and  information  usage 
in  the  United  States.  So  I  of  course  advocate  speeding  the  way 
there. 

Of  course,  no  bill  can  be  perfect.  They  can  all  be  improved,  in- 
cluding the  Administration's  and  including  the  one  before  us  today. 


55 

And  so  I  incorporate  the  comments  of  my  fellow  panelists,  ACLU, 
Dr.  Breitenstein,  Consumers  Union,  for  some  of  the  specifics  I 
would  like  to  speak  to.  Traditionally  in  the  United  States  we  have 
always  taken  a  narrow  approach  on  privacy.  Certain  issues  come 
up,  like  we  found  in  Judge  Bork's  situation  where  a  newspaper  re- 
porter got  ahold  of  his  video  rental  records,  and  this  was  an  issue 
that  hit  close  to  home  in  Congress  and  they  moved  quickly  to  pass 
the  Video  Rental  Protection  Act.  But  the  narrow  approach  has  left 
us  with  many  of  these  gaps. 

So  we  do  have  the  Fair  Credit  Reporting  Act,  an  important  law 
that  this  committee  had  a  role  in,  video  rental  records  are  pro- 
tected, cable  TV  is  protected.  But  many  important  types  of  records 
like  medical  records,  employment,  some  kinds  of  financial  informa- 
tion, internet,  retail  records  are  not  protected.  And  this  is  ex- 
tremely significant  that  now  in  history  we  are  in  an  age  of  conver- 
gence, where  we  see  under  Gramm-Leach-Bliley  the  convergence  of 
insurance  and  banks.  We  see  the  convergence  of  means  of  commu- 
nications. The  internet,  cable,  telephones,  the  banking  and  the 
wireless  system  are  all  converging.  I  think  we  really  need  to  move 
toward  a  comprehensive  approach  to  privacy  if  we  are  going  to 
have  our  laws  fit  the  technology  and  the  information  systems  that 
we  have.  And  so  I  favor  in  just  the  area  of  financial  privacy  the 
starting  point  for  considering  financial  privacy  would  be  the  Ad- 
ministration bill  as  introduced  by  Congressman  LaFalce.  That 
would  take  a  more  comprehensive  approach  to  the  issue  of  financial 
privacy,  and  I  think  that  is  where  we  start. 

I  think  it  is  also  important  to  point  out,  though,  that  there  is 
rampant  public  concern  now  about  privacy.  Even  in  our  newsletter 
we  have  reported  bits  and  pieces  about  some  of  the  politicians'  pro- 
prietary opinion  polls  showing  that  privacy  is  off  the  charts  among 
Americans,  and  the  New  York  Times  fleshed  this  out  a  week  ago 
Sunday  in  the  Week  in  Review  section,  showing  both  Republican 
and  Democratic  polsters  are  finding  that  this  is  the  sleeper  issue 
of  this  campaign. 

The  lesson  learned,  we  must  do  something  dramatic  and  com- 
prehensive to  respond  to  the  well-founded  public  concerns  about 
privacy  and  I  think  the  solution  is  that  the  Administration  really 
has  a  responsibility  to  come  forward  with  a  comprehensive  national 
package.  If  the  Administration  doesn't  do  it,  then  the  leadership  of 
the  Congress  should  do  it,  although  traditionally  this  role  has  be- 
longed to  the  Administration. 

Now,  I  think  one  reason  the  Administration  hasn't  done  this  is 
for  too  long  the  Commerce  Department  has  been  at  the  middle  of 
the  Administration's  privacy  policy  and  for  too  long  the  Commerce 
Department  has  been  kneeling  at  the  altar  of  voluntary  self-regula- 
tion, and  still  does,  well  after  voluntary  regulation  has  been  dis- 
credited as  feasible  or  workable.  I  think  the  Commerce  Department 
should  get  out  of  the  privacy  policy  business  altogether  and  just  go 
back  to  counting  beans. 

The  good  news,  though,  is  that  the  Treasury  Department  has 
come  forward  with  a  comprehensive  financial  privacy  bill.  The  Fed- 
eral Trade  Commission  has  now  recommended  national  privacy  leg- 
islation for  internet  privacy  and  Health  and  Human  Services  is 
moving  on  medical  privacy,  telling  Congress  they  need  to  go  beyond 


56 

what  HHS  can  do  in  rulemaking.  So  we  have,  through  fits  and 
starts,  we  have  the  pieces  of  what  could  be  a  comprehensive  pri- 
vacy policy. 

I  think  on  top  of  this  we  need  privacy  infrastructure.  No  matter 
what  happens,  we  are  still  going  to  have  to  integrate  and  consoli- 
date and  rationalize  privacy  laws  so  they  are  consistent  across  me- 
diums and  for  kinds  of  records  and  have  reasonable  differences  for 
reasonable  context  so  there  is  consistency.  And  this  is  the  role  of 
what  other  countries,  all  of  the  Western  countries  have,  and  we 
don't,  and  that  is  a  privacy  commissioner,  an  independent  privacy 
commissioner  that  would  offer  answers  to  the  legislature.  That  is 
a  very  important  step  in  creating  the  privacy  infrastructure  we  are 
going  to  need  to  have  a  rational  scheme  of  privacy  protection. 

Finally,  I  think  it  is  important  to  note  that  one  of  the  most  pro- 
consumer  developments  is  the  development  of  the  internet  and  e- 
commerce.  Yesterday  Chairman  Pitofsky  of  the  FTC  was  talking 
about  the  benefits  to  consumers.  There  is  a  real  risk,  and  we  are 
seeing  the  numbers,  and  that  the  phrase  "burn  rate"  is  a  very  dom- 
inant phrase  now  that  the  "e-tailers"  are  going  to  go  out  of  busi- 
ness. That  is  partly  because  we  have  not  created  an  environment 
of  consumer  confidence.  Without  adequate  privacy  protection,  we 
will  not  have  consumer  confidence.  Not  only  is  this  the  best  thing 
for  the  American  people  and  something  that  will  eventually  hap- 
pen, but  something  that  is  absolutely  necessary  for  us  to  make  e- 
commerce  flourish.  Otherwise  it  is  still  possible  we  could  have  the 
unfortunate  debate  of  "Who  lost  e-commerce?" 

Thank  you,  Mr.  Chairman. 

[The  prepared  statement  of  Evan  Hendricks  can  be  found  on 
page  207  in  the  appendix.] 

Chairman  Leach.  Thank  you,  Mr.  Hendricks. 

I  am  also  struck  by  the  fact  that  you  had  a  magazine  that  has 
been  in  existence  for  twenty  years,  and  privacy  as  a  concern  didn't 
emerge  until  six  months  ago.  Thank  you. 

Mr.  Mierzwinski. 

STATEMENT    OF    EDMUND    MIERZWINSKI,    CONSUMER    PRO- 
GRAM DIRECTOR,  U.S.  PUBLIC  INTEREST  RESEARCH  GROUP 

Mr.  Mierzwinski.  Thank  you,  Mr.  Chairman,  Mr.  LaFalce.  I  am 
pleased  to  offer  the  views  of  the  U.S.  Public  Interest  Group  on  your 
important  new  legislation  to  protect  consumers'  financial  medical 
privacy.  We  want  to  commend  you  for  introducing  a  bill  that  is 
very  supportable,  with  some  amendments,  and  we  are  encouraged 
by  the  fact  that  the  core  of  your  bill  recognizes  that  opt-in  express 
consent  by  consumers  should  be  the  criterion  upon  which  informa- 
tion is  shared  or  used  for  secondary  purposes.  As  Mr.  Hendricks 
has  articulated,  we  believe  that  any  privacy  laws  should  be  based 
fundamentally  on  opt-in  consumer  consent. 

We  are  especially  pleased  that  a  number  of  parts  of  your  bill  are 
quite  strong,  particularly  its  provision  that  the  use  of  information 
already  held  by  an  entity  requires  express  consent  and  also  its 
stronger  provisions  in  the  areas  of  mental  health. 

That  being  said,  I  do  have  a  few  points  in  my  written  statement 
on  areas  where  we  think  that  the  bill  could  be  improved.  We  also 


57 

think  that  some  of  these  areas  apply  equally  to  the  President's  bill. 
And  let  me  just  discuss  those  very,  very  briefly. 

First,  I  think  both  bills  have  too  many  exceptions  and  that  the 
committee  ought  to  look  very  carefully  at  the  need  for  those  excep- 
tions. I  am  quite  aware  that  the  industry  witnesses  believe  there 
should  be  more  exceptions,  but  we  believe  to  protect  privacy  there 
should  be  as  few  as  possible. 

Second,  in  the  area  of  coercion  of  consent,  we  are  generally  con- 
cerned that  consumers  not  get  into  the  habit  of  ignoring  warnings 
and  simply  giving  consent  as  a  condition  of  appljdng  for  any  kind 
of  an  account.  And  in  this  area,  the  President's  bill  uses  one  ap- 
proach, your  bill  uses  a  different  approach. 

We  believe  perhaps  the  best  solution  might  be  a  combination  of 
the  two  approaches,  with  the  addition  of  the  approach  taken  by  the 
comprehensive  me(Mcal  privacy  bills,  not  only  the  financial  privacy 
bills,  but  some  of  the  other  bills  before  the  Congress  that  would 
prohibit  the  conditioning  of  any  treatment  or  provision  of  any  serv- 
ice upon  provision  of  consent. 

The  third  area  is  the  issue  of  loans  or  credits.  The  strongest 
parts  of  your  bill  appear  to  be  limited  only  to  the  issuance  of  loans 
or  credit.  We  believe  that  this  potentially  means  that  banks  and  fi- 
nancial services  holding  companies  might  be  able  to  use  confiden- 
tial health-related  information  for  marketing  purposes,  for  exam- 
ple, or  emplo5anent  purposes,  for  example,  and  we  would  suggest 
that  you  eliminate  that  narrow  structure  and  broaden  the  defini- 
tion so  that  it  applies  not  only  to  loans  and  credit,  but  to  all  uses 
of  information  by  a  holding  company. 

Neither  bill,  your  bill  nor  the  President's  proposal,  provides  a  pri- 
vate right  of  action  under  Title  5.  We  believe  that  a  fundamental 
privacy  protection  is  to  give  consumers  the  right  to  sue  when  their 
rights  are  violated. 

One  area  where  we  think  you  could  come  to  some  congruence 
with  the  President  is  on  the  important  area  of  access,  providing  the 
opportunity  for  consumers  to  correct  and  copy  their  financial  med- 
ical records.  Your  bill,  of  course,  includes  this  strong  provision.  The 
President's  bill,  however,  includes  that  provision  and  applies  it  not 
only  to  health  records,  but  also  to  financial  records. 

The  industry  often  complains  about  complex  regulations,  burden- 
some complex  regulations.  How  could  I  forget  the  adjective  "bur- 
densome"? The  way  you  could  make  the  regulation  more  simple 
would  be  to  apply  the  access  and  correction  provisions  not  only  to 
medical  information,  but  also  to  all  information  held  by  a  financial 
services  holding  company.  To  give  consumers  that  Fair  Information 
Practice  as  it  applies  to  all  of  their  information,  we  think  would  be 
a  good  step  forward.  Then  instead  of  being  under  two  regimes,  the 
banks  would  only  be  under  one  regime  for  complying  with  that  pro- 
vision of  the  law. 

We  believe  also  that  as  the  bill  relates  to  HIPAA,  there  is  lan- 
guage in  the  bill  describing  the  relationship  between  the  two  bills. 
We  think  there  should  be  an  expressed  provision  that  says  stronger 
privacy  law  controls  in  all  circumstances.  That  would  be  a  notable 
improvement  to  the  bill. 

We  are  very  pleased  that  both  you  and  the  Administration  have 
recognized,  as  has  the  broad  coalition  of  consumer,  pro-family,  free 


58 

speech  and  civil  liberties,  and  privacy  organizations  that  have  been 
supporting  privacy  legislation  in  this  country,  that  the  core  of  pri- 
vacy legislation  should  be  expressed  opt-in  consent.  We  would  urge 
you  to  work  together  with  the  Administration. 

Your  bill  applies  to  medical  privacy.  The  President's  bill,  as  in- 
troduced by  Mr.  LaFalce,  applies  to  an  opt-in  regime  to  both  med- 
ical privacy  and  sensitive  financial  information.  We  would  urge,  of 
course,  that  that  be  broadened  to  include  all  medical  and  all  finan- 
cial information,  and  ultimately,  as  Mr.  Hendricks  has  described, 
that  we  establish  opt-in  financial  consent  across  all  areas  of  the 
economy,  because  as  the  industry  groups  are  converging,  as  compa- 
nies that  used  to  do  one  thing  are  doing  many  things,  the  gaps  in 
our  privacy  law  are  becoming  clearer  and  clearer. 

That  being  said,  we  commend  you  for  introducing  a  bill  to  solve 
the  most  important  loophole  in  the  Gramm-Leach-Bliley  Act;  and 
that  is,  its  missing  provision  on  medical  financial  privacy  and  we 
urge  support  of  your  bill.  Thank  you. 

[The  prepared  statement  of  Edmund  Mierzwinski  can  be  found 
on  page  211  in  the  appendix.] 

Chairman  Leach.  Thank  you. 

Ms.  Pritts. 

STATEMENT  OF  JOY  L.  PRITTS,  SENIOR  COUNSEL,  HEALTH 
PRIVACY  GROUP,  GEORGETOWN  UNIVERSITY 

Ms.  Pritts.  Good  afternoon.  I  would  like  to  first  thank  you,  Mr. 
Chairman  and  Congressman  LaFalce,  for  giving  us  the  opportunity 
to  testify  today  on  this  important  issue  of  health  privacy. 

I  am  with  the  Health  Privacy  Project,  which  was  formed  a  few 
years  ago.  The  mission  of  the  Health  Privacy  Project  is  to  raise 
public  awareness  about  the  importance  of  ensuring  privacy  of 
health  information  from  the  standpoint  of  improving  health  care 
access  and  quality,  not  just  from  an  individual  point  of  view,  but 
also  from  the  community's  point  of  view.  We  believe  that  this  is  an 
important  area  which,  as  technology  changes,  is  subject  to  more 
and  more  threats. 

Given  the  focus  of  our  project,  we  follow  the  privacy  components 
of  the  Gramm-Leach-Bliley  Act  with  great  interest.  Financial  infor- 
mation often  overlaps  with  health  information,  and  we  have  had 
concerns  that  in  the  process  of  modernizing  the  financial  services 
industry,  sensitive  health  information  might  be  turned  into  just  an- 
other marketable  commodity,  and  we  don't  think  it  should  be  that 
type  of  information. 

The  bill  that  is  at  issue  here  today,  H.R.  4585,  goes  a  long  way 
toward  addressing  our  concerns  with  that  issue.  I  would  like  to  ad- 
dress some  of  the  major  components  of  that  bill. 

One  of  the  first  things  that  we  focused  on  was  the  opt-in  require- 
ment for  a  financial  institution  to  release  the  information  of  a  con- 
sumer. An  opt-in  requirement  is  pretty  much  the  status  quo  in 
other  Federal  bills,  and  we  believe  that  this  is  the  way  to  go.  We 
also  believe  that  this  is  a  vast  improvement  over  the  opt-out  provi- 
sion that  was  in  the  original  Gramm-Leach-Bliley  Act,  because  that 
kind  of  presumes  that  a  consumer  would  consent  to  the  release  of 
this  information,  and  we  don't  think  that  that  presumption  is  very 


59 

accurate,  that  people  would  voluntarily  release  this  information  if 
they  knew  how  it  was  going  to  be  used. 

We  also  appreciate  the  fact  that  this  opt-in  requirement  applies 
to  non-affiliates.  From  a  consumer's  perspective,  it  really  doesn't 
matter  if  the  information  is  going  to  an  affiliate  or  non-affiliate. 
The  key  issue  is  whether  the  information  is  being  released  from  the 
original  record  holder. 

Another  aspect  of  this  bill  that  we  were  pleased  with  is  that  it 
addresses  consumer  profiles.  Although  we  have  heard  today  that 
banks  do  not  use  medical  information  in  this  manner,  I  think  it  is 
quite  obvious  from  anybody  who  has  received  a  statement  of  a 
checking  account,  that  many  of  us  at  the  end  of  the  year  receive 
a  statement  that  lists  how  things  have  been  processed.  Your  credit 
card  statement  says  how  your  money  has  been  spent  during  the 
year  and  it  includes  things  like  a  category,  $10,000  for  health  infor- 
mation during  the  last  year. 

So  the  technology  is  there  and  it  is  something  that  in  the  future 
people  could  possibly  do. 

One  other  area  that  this  proposal  addresses  is  that  it  restricts 
the  use  of  health  information  for  providing  certain  financial  serv- 
ices. We  see  this  as  an  improvement  over  the  original  Gramm- 
Leach-Bliley  Act.  There  are  a  lot  of  consumer  concerns  that  their 
health  information  may  be  used  to  deny  them  access  to  financial 
services  such  as  loans  and  credits.  There  was  a  question  posed  ear- 
lier today  to  another  panel  about  whether  anybody  knew  of  any  cir- 
cumstances under  which  that  had  actually  happened.  We  are 
aware  of  an  article  that  was  in  Time  Magazine,  I  believe  it  was  in 
1996  or  1997,  where  they  reported  an  example  of  a  bank  officer 
who  also  happened  to  serve  on  a  State  board  which  governed  a  can- 
cer registry,  and  the  bank  officer  ran  a  list  of  the  people  who  had 
been  reported  as  having  cancer  and  he  used  that  listing,  compared 
it  to  the  files  in  his  bank,  and  apparently  he  terminated  their 
loans.  Now,  that  is  really  kicking  somebody  when  they  are  down. 
So  there  are  circumstances  that  have  been  reported  where  this  has 
actually  occurred,  and  we  would  really  like  to  see  a  prohibition  on 
that  occurring  in  the  future. 

Another  major  improvement  in  this  Act  is  a  provision  that  would 
grant  consumers  the  right  of  access  to  and  to  correct  their  informa- 
tion. If  your  health  information  is  going  to  be  used  to  make  life- 
influencing  decisions,  such  as  whether  or  not  you  are  going  to  get 
insurance  or  you  are  going  to  get  a  mortgage,  or  if  it  is  going  to 
be  spread  to  other  people  for  them  to  use,  you  should  certainly 
have  the  ability  to  see  what  information  is  out  there  about  you  and 
to  correct  it  if  it  is  inaccurate. 

Although  we  support  the  opt-in  requirements  for  use  and  disclo- 
sure, we  do  believe  that  those  requirements  mean  almost  nothing 
if  they  are  not  truly  voluntarily  signed,  and  if  a  financial  institu- 
tion is  able  to  condition  the  provision  of  a  financial  service  on  a 
consumer's  executing  those  authorization  forms,  it  is  not  really  vol- 
untary. It  is  not  really  an  authorization  if  you  have  to  do  it  in  order 
to  obtain  a  loan,  for  instance.  This  is  one  area  where  we  really  be- 
lieve that  this  bill  could  be  improved. 

Overall,  we  are  quite  happy  with  the  provisions  in  H.R.  4585  and 
we  are  pleased  that  it  has  been  introduced.  We  look  very  much  for- 


60 

ward  to  seeing  the  gaps  in  the  Gramm-Leach-Bliley  Act  filled,  and 
it  looks  like  we  are  moving  in  that  direction  and  we  would  be 
happy  to  assist  with  that  process  if  we  could. 

[The  prepared  statement  of  Joy  L.  Pritts  can  be  found  on  page 
214  in  the  appendix.] 

Chairman  Leach.  Thank  you,  Ms.  Pritts. 

Mr.  Welch. 

STATEMENT  OF  RONALD  WEICH,  PARTNER,  ZUCKERMAN, 
SPAEDER,  GOLDSTEIN,  TAYLOR  AND  KOLKER,  LLP,  ON  BE- 
HALF OF  THE  AMERICAN  CIVIL  LIBERTIES  UNION 

Mr.  Weigh.  Thank  you,  Mr.  Chairman.  I  appreciate  the  oppor- 
tunity to  be  here  today  to  speak  on  behalf  of  the  300,000  members 
of  the  American  Civil  Liberties  Union. 

As  the  fourteenth  of  fourteen  witnesses  at  today's  hearing,  I 
think  it  is  my  responsibility  to  say  something  that  nobody  else  has 
said,  and  say  it  briefly.  What  I  would  like  to  do  is  first  of  all  en- 
dorse the  recommendations  for  strengthening  the  bill  that  my  col- 
leagues on  this  panel  and  that  the  Treasury  Department  official  on 
the  first  panel  put  forward.  But  I  want  to  take  a  step  back  and  re- 
mind the  Chairman  and  the  Ranking  Member  of  the  importance  of 
this  legislation  for  health  and  public  health. 

Over  the  course  of  the  morning,  and  now  the  afternoon,  I  think 
that  medical  privacy  has  been  discussed  in  somewhat  abstract 
terms  as  though  the  diminution  of  privacy  in  the  medical  area  was 
something  that  was  unfortunate  for  the  individual;  it  might  cause 
pain,  it  might  cause  embarrassment,  could  expose  somebody  to  dis- 
crimination, but  that  it  was  something  that  was  an  after-the-fact 
consequence  of  the  violation  of  privacy. 

The  point  I  want  to  make  is  that  we  believe  medical  privacy  is 
important,  because  in  the  absence  of  an  environment  in  which  peo- 
ple are  confident  that  their  medical  information  will  be  secure  and 
kept  confidential,  people  will  not  seek  medical  treatment  in  the 
first  instance  or  people  will  not  be  candid  with  their  health  care 
provider.  And  that  is  very  damaging. 

Let  me  just  give  two  examples,  one  ripped  from  todays  news- 
paper. The  Washington  Post  reports  on  a  Center  for  Disease  Con- 
trol study  which  says  that  25  percent  of  the  people  who  get  AIDS 
tests  in  this  country  do  not  return  to  receive  the  results,  and  CDC 
speculates  that  a  big  part  of  that  is  the  stigma  that  is  associated 
with  AIDS. 

A  prior  study  by  the  Department  of  Labor  found  that  a  majority 
of  women  in  the  study  were  reluctant  to  receive  genetic  screening 
for  breast  cancer.  There  again,  a  large  part  of  that  problem,  and 
the  women  said  in  large  part,  was  because  they  were  reluctant  to 
have  a  piece  of  paper  exist  that  said  that  they  had  this  genetic  pre- 
disposition. They  feared  that  it  would  be  used  against  them. 

It  is  not  just  the  after-the-fact  consequence.  It  is  that  people  will 
not  receive  the  health  services  that  they  need.  As  a  result,  the 
work  that  this  committee  is  doing  in  this  area  is  as  important  for 
individual  health  and  for  public  health  as  anything  that  your  col- 
leagues on  the  Health  Subcommittee  and  the  Commerce  Committee 
might  be  working  on  at  this  moment. 


61 

That  said,  I  don't  want  you  to  be  left  with  the  impression  that 
the  ACLU  thinks  that  the  only  issue  that  needs  to  be  addressed 
with  respect  to  Gramm-Leach-Bliley  is  medical  privacy.  We  regret- 
ted the  fact  that  your  bill,  Mr.  Chairman,  the  landmark  Gramm- 
Leach-Bliley  bill,  did  not  comprehensively  address  privacy  issues  to 
our  satisfaction,  and  we  urge  that  in  this  Congress,  and  as  soon  as 
possible,  the  Congress  return  to  the  privacy  issues  across  the  board 
with  respect  to  financial  institutions  including  medical  privacy.  We 
think  your  bill  is  very  good,  as  my  colleagues  have  stated,  but  we 
think  applying  the  principles,  especially  the  opt-in  principle,  to  fi- 
nancial privacy  across  the  board  would  be  even  better. 

I  would  just  want  to  quickly  highlight  three  improvements  that 
I  don't  believe  have  been  mentioned  before,  and  I  will  say  them  in 
very  bullet  form. 

First,  with  respect  to  the  right  to  access  and  correct  information, 
your  bill,  Mr.  Chairman,  permits  consumers  to  do  that  with  respect 
to  records  that  are  in  the  possession  of  the  financial  institution. 
The  Ranking  Member's  bill  goes  a  step  further  and  says  records 
that  are  under  the  control  of  the  financial  institution  and  reason- 
ably available,  which  is  a  standard  that  I  think  is  not  burdensome 
and  would  ensure  that  financial  institutions  don't  play  shell  games 
with  the  records.  If  there  is  to  be  a  right  of  access  and  a  right  to 
correct,  it  should  apply  to  all  records  that  are  under  the  control 
and  reasonably  available. 

Second,  there  has  been  discussion  about  the  mental  health  pro- 
tections in  the  bill  and  we  commend  you,  Mr.  Chairman,  for  put- 
ting those  in  there.  I  think  there  was  some  discussion  earlier  when 
Congresswoman  Roukema  was  here  about  why  that  would  be  im- 
portant. Understand  that  under  the  opt-in  model,  it  is  very  often 
the  case  that  the  opt-in  will  occur  in  advance;  that  when  the  con- 
sumer signs  up  for  the  financial  product,  he  or  she  will  be  asked 
to  provide  consent  for  the  future  use  of  the  information.  As  we  read 
the  mental  health  protection,  the  special  heightened  protection  in 
your  bill,  the  financial  institution  would,  if  it  wanted  to  use  mental 
health  information  in  the  future,  would  need  to  come  back  to  the 
consumer  and  seek  consent  for  that  specific  use.  We  think  that  is 
vitally  important  and  we  would  respectfully  suggest  that  those  spe- 
cial protections  be  extended  beyond  mental  health  to  other  sen- 
sitive areas  like  substance  abuse  and  reproductive  health,  because 
those  are  areas  where  the  fear  of  embarrassment  and  discrimina- 
tion is  so  great  that  people  are  reluctant  to  seek  the  health  service 
in  the  first  place. 

And,  finally,  nobody  has  emphasized  the  importance  of  genetic 
privacy  protections.  There  again,  the  breast  cancer  example  is  one 
that  we  are  all  very  familiar  with.  But  the  map  of  the  human  ge- 
nome is  about  to  be  completed  within  the  next  couple  of  weeks  is 
what  we  have  been  told.  We  think  it  is  vital  for  Congress  to  ad- 
dress the  circumstances  under  which  that  information  is  going  to 
be  available  and  the  circumstances  under  which  it  is  going  to  be 
used. 

We  strongly  support  Congresswoman  Slaughter's  bill  to  provide 
those  protections,  and  while  not  within  the  jurisdiction  of  this  com- 
mittee, of  course,  we  think  that  revisiting  the  privacy  issue,  the 
privacy  issues  raised  in  the  insurance  context  under  Gramm-Leach- 


65-149   2001-3 


62 

Bliley,  presents  an  excellent  opportunity  for  the  Congress  to  look 
at  the  important  issue  of  genetic  privacy.  Thank  you. 

[The  prepared  statement  of  Ronald  Welch  can  be  found  on  page 
220  in  the  appendix.] 

Chairman  Leach.  Thank  you  very  much. 

I  must  say,  all  your  testimony  has  been  extraordinary  and  very 
much  appreciated.  As  we  move  forward,  it  will  certainly  be  borne 
in  mind,  so  any  very  specific  language  you  want  to  suggest  we  will 
look  at  as  well.  Feel  free  to  contact  us  directly. 

John. 

Mr.  LaFalce.  Thank  you  very  much,  Mr.  Chairman. 

A  couple  of  observations.  First  of  all,  I  thought  the  presentations 
of  this  panel  were  just  outstanding  and  I  thank  the  Chairman.  I 
requested  each  of  the  six  of  you  as  witnesses.  I  think  we  would 
have  been  remiss  if  we  didn't  hear  from  your  perspective.  I  wish 
more  were  here  to  listen  to  you,  both  sitting  here  and  sitting  out 
there. 

You  have  been  supportive  of  the  Chairman's  bill  and  my  bill  sim- 
ilarities and  differences  in  approach,  but  you  have  also  had  some 
suggested  changes  for  both  the  Chairman's  bill  and  my  bill,  and  we 
are  grateful  for  that,  because  whatever  we  do,  we  both  recognize 
that  we  don't  have  any  particular  monopoly  on  wisdom  and  any- 
thing that  we  have  introduced  can  always  be  improved. 

You  have  pointed  out  they  can  be  improved  significantly,  even  in 
the  bill  that  I  introduced  on  behalf  of  the  Administration.  I  don't 
think  it  goes  far  enough  in  certain  very,  very  key  respects. 

Ms.  Breitenstein,  you  pointed  out  how  very  imperative  a  private 
right  of  action  is,  because  if  my  privacy  rights  are  protected,  my 
personal  privacy  rights,  my  property  rights,  then  I  don't  want  to 
have  to  rely  on  the  FTC,  I  don't  want  to  have  to  rely  on  the  State 
attorney  general,  which  I  have  to  do  even  under  my  bill.  I  ought 
to  have  a  right  to  seek  individual  redress,  because  I  am  the  one 
who  has  been  abused.  I  don't  think  that  is  unreasonable.  I  think 
arguments  to  the  contrary  are  unreasonable.  I  hear  them  saying 
this  a  defect  in  my  bill  even.  We  need  to  go  further. 

Ms.  Breitenstein,  I  point  you  out  in  particular,  because  you  made 
the  point  that  you  come  from  the  private  sector.  There  is  something 
else  I  think  that  we  must  get  across,  and  maybe  you  could  help  me 
buttress  this  point:  By  promoting  privacy,  we  are  promoting  good 
business  practice.  How  many  times  have  you  run  into  individuals 
who  would  have  used  the  internet,  for  example,  who  would  have 
used  some  electronic  form  of  commerce,  if  they  didn't  have  to  share 
personal  information;  but  they  get  to  that  point  and  then  they  stop. 
And  I  think  we  could  have  an  exponential  growth  in  utilization  of 
the  technology  that  exists  if  we  adopt  the  strongest  possible  privacy 
protections,  rather  than  thinking  that  the  privacy  protections  will 
impede  that  growth.  Anyone  want  to  comment  on  that? 

Ms.  Breitenstein.  I  want  to  thank  you  for  that  comment,  be- 
cause it  is  incredibly  astute  and,  statistically  speaking,  you  are 
right  on  the  money,  so  to  speak.  A  1999  consumer's  legal  study 
found  that  70  percent  of  people  were  unwilling  or  reluctant  to  di- 
vulge personal  information  online.  A  2000  poll  found  that  40  per- 
cent of  women  have  never  made  a  purchase  online,  citing  privacy 
as  their  number  one  concern. 


63 

I  wish  I  had  a  terrific  Utile  vignette  for  you,  but,  statistically 
speaking,  if  we  don't  solve  privacy,  we  are  not  going  to  support  the 
government  of  e-commerce  and  communication  and  everything  else 
that  we  want  to  do  online,  especially  in  the  health  field. 

Mr.  LaFalce.  I  thank  you.  Let  me  just — Mr.  Hendricks?  Before 
you  respond,  Mr.  Hendricks,  let  me  just  say  with  respect  to  Mr. 
Hendricks  and  I,  we  didn't  just  start  talking  about  privacy  six 
months  ago.  I  remember  two  years  ago  we  were  at  the  White 
House  at  a  press  conference  with  Vice  President  Gore,  when  we 
were  having  a  press  conference  about  the  need  for  promoting  pri- 
vacy rights  at  that  time.  And  then  I  remember  the  1970's,  worMng 
on  privacy  when  Mr.  Hendricks  was  covering  it  and  I  was  particu- 
larly working  on  that  with  then-Congressman  John  Cavanaugh  of 
Nebraska.  But  you  wanted  to  comment  on  the  buttress,  I  think, 
Ms.  Breitenstein's  point. 

Mr.  Hendricks.  The  other  statistic  is  something  between  70  and 
75  percent  of  the  people  are  filling  things  up  in  shopping  carts 
when  they  go  online,  and  abandon  the  purchase  at  the  point  they 
are  talking  about  actually  having  to  put  their  credit  card  number 
down.  So  there  is  a  real  perception,  fear,  hurdle,  that  has  to  be 
overcome  and  that  is  why  I  think  we  need  something  dramatic  and 
comprehensive. 

You  noted  that  Ms.  Breitenstein  is  from  the  private  sector.  There 
is  an  exciting  dynamic  going  on.  There  are  new  models  of  compa- 
nies coming  in  with  the  new  economy  that  are  based  on  protecting 
and  enhancing  privacy.  I  am  talking  to  some  of  those  companies, 
too,  and  I  look  forward  to  sort  of  bringing  them  into  the  debate 
here  to  be  able  to  demonstrate  how — where  in  the  past  you  could 
only  make  money  by  invading  privacy,  and  now  there  is  value  in 
protecting  privacy. 

Mr.  LaFalce.  I  think  I  read  or  heard  someplace  about  a  San 
Francisco  company  that  has  a  patent  that  has  been  issued  that 
would  assist  in  the  protection  of  privacy  by  scrambling  this  infor- 
mation. Do  you  have  anything  you  want  to  share  with  us  on  that? 

Mr.  Hendricks.  It  is  a  company  I  am  talking  to  that  has  a  pat- 
ent for  scrambling  credit  card  numbers,  and  all  through  commerce, 
the  merchant,  the  e-commerce,  systems  communication,  you  don't 
see  the  real  credit  card  number.  It  scrambles  it  so  it  only  goes 
through  and  then  is  confirmed  by  the  acquiring  bank  and  issuing 
bank.  It  would  be  a  real  technological  plus  to  get  this  sort  of  tech- 
nology into  the  marketplace.  It  is  going  to  take  a  mix  of  technology 
and  legislative  solutions  to  finally  show  the  American  people  that 
we  can  protect  privacy. 

Mr.  LaFalce.  Let  me  in  closing  again  thank  you,  and  let  me  just 
make  a  personal  observation.  This  is  June.  I  am  not  sure  whether 
we  will  be  able  to,  if  we  report  a  bill  out,  advance  it  to  the  floor. 
I  am  not  sure,  given  the  composition  of  the  Senate  and  the  late  leg- 
islative schedule,  we  will  be  able  to  advance  anything  at  all  in  the 
Senate.  Those  are  just  question  marks. 

The  question  is:  What  should  we  do  now  and  next?  A  number  of 
you  have  been  very  kind  in  your  comments,  both  toward  the  Chair- 
man and  myself.  I  don't  know  what  is  going  to  happen  in  the  fu- 
ture. I  don't  know  whether  I  will  be  reelected.  Assuming  I  am,  I 
will  expect  I  will  be  either  the  Ranking  Member  or  the  Chairman 


64 

of  this  committee.  Assuming  Congressman  Leach  is  reelected,  be- 
cause of  the  rules  of  the  House,  he  will  not  be  Chairman  in  the 
next  Congress.  Maybe  he  could  be  Ranking  Member,  I  don't  know. 
But  if  the  Republicans  have  the  Majority,  it  will  probably  be  Ms. 
Roukema  or  Mr.  Oxley  or  Mr.  Baker,  God  only  knows.  But  I  don't 
think  there  is  ever  going  to  be  a  Chairman  and  Ranking  Member 
who  are  so  similarly  disposed  substantively  on  such  an  extremely 
important  issue,  and  also  of  similar  personal  disposition.  And  I 
would  hope  that  we  could  take  this  opportunity  to  craft  something 
that  is  better  than  both  our  bills  and  as  broad  and  comprehensive 
as  possible,  because  we  might  not  ever  have  another  opportunity. 
I  thank  you  and  I  thank  the  Chair  very  much. 

Chairman  Leach.  Well,  thank  you,  John.  Let  me  thank  you  all 
again.  Your  comments  have  been  splendid.  Thank  you. 

The  hearing  is  adjourned. 

[Whereupon,  at  2:05  p.m.,  the  hearing  was  adjourned.] 


APPENDIX 


June  14,  2000 


(65) 


66 


CURRENCY 

Committee  on  Banking 
and  Financial  Services 


James  A.  Leach,  Chairman 


For  Immediate  Release: 
Wednesday,  June  14,  2000 


Contact:  David  Runkel  or 
Brookly  McLaughlin  (202)  226-0471 


Opening  Statement 

Of  Rep.  James  A.  Leach 

Chairman,  House  Banking  and  Financial  Services  Committee 

Hearing  on  H.R.  4585 


The  Committee  meets  today  to  hear  testimony  on  H.R.  4585,  the  Medical  Financial  Privacy 
Protection  Act,  which  would  protect  the  most  sensitive  information  about  an  individual  that  is 
held  by  a  financial  firm. 

Before  summarizing  this  proposal  let  me  review  the  legislative  background  of  this  issue. 

Last  year,  in  consideration  of  H.R.  10,  the  Financial  Services  Modernization  Act,  this  Committee 
for  the  flrst  time  in  the  long  history  of  bank  reform  legislation  approved  a  privacy  package.  In 
addition  to  erecting  privacy  shields  for  American  financial  services  customers,  including  a  ban  on 
the  transfer  of  information  to  third  party  telemarketers  and  a  clamp  down  on  identity  theft,  that 
bill,  as  it  left  this  Committee  contained  a  provision  that  would  have  walled  off  the  medical  records 
held  by  an  insurance  company  from  other  affiliates  of  a  financial  services  holding  company,  as 
well  as  non-affiliated  third  parties. 

H.R.  10  passed  the  House  with  the  strongest  privacy  protections  ever  incorporated  into  banking 
law,  importantly  including  the  medical  privacy  provisions  that  originated  in  our  Committee. 
Later,  however,  at  the  request  of  the  Administration  and  the  insistence  of  the  minority  party  on 
the  floor  that  the  issue  be  addressed  through  executive  action  rather  than  legislation,  the  medical 
privacy  provisions  were  dropped  from  the  final  version  of  the  bill. 

Now,  it  appears  that  consensus  is  developing  among  the  interested  parties  in  the  government  on 
the  desirability  of  moving  forward  with  a  legislative  approach  to  medical  privacy.  In  this  regard, 
the  language  of  H.R.  4585  is  consistent  with  the  medical  privacy  recommendations  forwarded  to 
Congress  by  the  Treasury  Department  six  weeks  ago  and  responds  to  the  concerns  outlined  by  the 
President  in  his  April  30  speech  at  Eastern  Michigan  University  in  Ypsiianti.  And  in  an  important 
disclosure  area  that  deals  with  information  concerning  mental  health  or  condition,  H.R.  4585  goes 
beyond  the  Administration  recommendations. 

The  legislation  is  also  consistent  with  the  financial  industry  accord  announced  last  week.  The 
industry  is  to  be  complimented  for  agreeing  voluntarily  to  provide  a  credible  degree  of  privacy 
protection  of  the  medical  records  of  their  customers.  Some  would  even  contend  that  because  of  this 
voluntary  agreement  and  because  of  the  industry's  general  record  of  safeguarding  medical 
records,  any  legislation  represents  a  solution  seeking  a  problem. 


67 


Yet,  llic  background  uf  legislative  concern  in  this  area  relates  less  to  any  history  of  past  industry 
abuse  or  of  new  financial  industry  organization,  but  rather  to  the  implications  of  modern 
information  technology  as  it  relates  to  new  genetics  science  advances.  So  much  more  can  now  be 
known  about  and  predicted  about  individuals  based  on  medical  testing  that  it  is  important  to  put 
common  sense  restraints  in  place  before  temptingly  improper  industrial  practices  begin. 

The  major  provisions  of  the  bill,  II.R.  4585,  which  is  the  principal  subject  matter  of  the  hearing, 
are  as  follows: 

•  Mnancial  institutions  will  be  required  to  obtain  customer's  affirmative  consent  ("opt  in") 
before  disclosing  individually  identifiable  health  information  to  an  afllliate  or  non-affiliated 
third  party. 

•  A  flnancial  institution  will  be  prohibited  from  obtaining  or  using  individually  identifiable 
health  information  in  deciding  whether  to  issue  credit,  unless  the  prospective  borrower 
expressly  consents. 

•  Information  relating  to  mental  health  or  mental  condition  will  be  singled  out  for  particular 
protection  with  separate  and  specific  customer  consent  required  to  disclose  such 
information,  and  special  policies  developed  by  regulators  to  protect  its  confidentiality. 

«  Consumers  will  be  given  the  right  to  inspect,  copy,  and  correct  individually  identifiable 
health  information  that  is  under  the  control  of  a  financial  institution. 

•  Strict  limitations  will  be  placed  on  the  redisclosure  and  reuse  of  individually  identifiable 
health  information  legitimately  obtained  by  a  financial  institution. 

•  Nothing  will  be  done  to  modify,  limit  or  supersede  medical  privacy  standards  promulgated 
by  the  Secretary  of  Health  and  Human  Services  pursuant  to  authority  granted  under  the 
Health  Insurance  Portability  and  Accountability  Act. 

The  approach  contemplated  in  H.R.  4585  is  designed  to  augment  the  privacy  provisions  of  the 
Financial  Modernization  bill  passed  last  year.  Rules  to  implement  those  privacy  protections  are  in 
the  process  of  being  implemented  by  the  Executive  Branch,  and  I  believe  I  can  speak  for  all 
Members  of  the  Committee  in  encouraging  the  regulators  to  move  expeditiously  so  that  all 
Americans  can  be  more  secure  in  the  privacy  of  their  financial  information. 

Before  hearing  today  from  the  Administration,  government  officials,  industry  representatives  and 
privacy  groups  on  their  perspectives  on  this  matter,  let  me  ask  Mr.  LaFalce  if  he  has  an  opening 
statement. 

iJiJiJii  Jiii 


68 


Opening  Statement 

H.R.  4585  -  Medical  Financial  Privacy  Protection  Act 

Rep.  Stephanie  Tubbs  Jones 

Good  Morning,  Chairman  Leach,  Ranking  Member  LaFalce  and  Members  of  this 
Committee.  Mr.  Chairman,  I  ask  unanimous  consent  that  my  full  statement  be  included 
in  the  Record. 

I  want  to  thank  Chairman  Leach  for  his  outstanding  leadership  of  the  Banking 
Committee,  in  general,  and  more  specifically  his  leadership  in  moving  H.R.  4585, 
Medical  Financial  Privacy  Protection  Act,  forward  to  a  hearing. 

Consumers  of  this  nation  deserve  better  privacy  protections  with  respect  to 
medical  and  financial  information  and  records.  In  the  midst  of  Gramm-Leach-Bliley, 
growth  of  the  internet,  speed  at  which  information  travels  and  coupled  with  the  increasing 
numbers  of  corporate  mergers  and  subsidiary  structures  today,  consumers  desperately 
need  privacy  protections. 

While  there  is  much  still  to  be  learned  about  consumers'  views  on  the  collection 
and  use  of  personal  information  in  the  online  environment  and  between  entities,  it  is 
possible  to  discern  some  general  trends.  Survey  research  conducted  over  the  last  twenty 
years  documents  deep  concern  among  Americans  about  how  personal  information  is 
being  used. 

•  82%  stated  that  they  are  concerned  about  threats  to  their  personal  privacy 

•  78%  believe  that  consumers  have  lost  all  control  over  how  businesses  circulate  and 
use  personal  information; 

•  66%  believe  businesses  ask  consumers  for  too  much  information 


There  are  benefits  of  online  technology  in  the  areas  of  health  care  and  financial 
services.  Electronic  transmission  of  medical  information  can  enhance  the  quality  of 
health  care  by  facilitating  long  distance  consultations  and  allow  doctors  to  use  email  to 
monitor  patients  compliance  with  treatment.  In  addition,  online  technology  could 
assist  consumers  by  making  financial  information  that  is  currently  available  only 
through  intermediaries  instantly  available  to  them. 

However,  some  concerns  exist  as  well.  There  is  a  genuine  concern  about 
unauthorized  access  to  sensitive  medical  and  financial  information.  Companies  with 
health  affiliates  can  easily  "cherry  pick"  clients  for  benefits  plans,  thus  leaving  those 
with  a  history  of  health  and  health  related  illnesses  with  no  coverage  or  very  expensive 
coverage.  The  confidentiality  of  medical  records  could  be  compromised  and  misued  by 
third  parties  who  gain  access  through  chat  rooms,  bulletin  boards  and  other  means. 


69 


Also,  there  is  concern  about  the  commercialization  of  financial  and  medical 
information.  Medical  information  should  never  be  disclosed  or  used  for  marketing 
purposes,  unless  there  is  voluntary  consent  and  knowledge. 

I  support  legislation  that  lays  out  clear  "notice"  regulations.  Notice  is  the  first 
principle  in  advancing  information  privacy.  Notice  should  include  clear  language 
written  or  typed  in  conspicuous  form. 

Consumer  choice.  Consumers  should  be  able  to  exercise  choice  with  respect  to 
whether  their  personal  information  is  used.  There  may  be  disagreement  as  to  how 
choice  is  to  be  exercised,  but  consumers  must  have  choice.  I  favor  "opt  out"  provisions 
that  allow  consumers  to  agree  not  to  participate  in  information  sharing,  etc.  I  believe 
the  easiest  way  to  do  this  is  to  require  affirmative  consent  prior  to  any  collection  or 
commercial  use  of  a  consumer's  personal  information.  Individual  do  have  a  property 
interest  in  their  personal  information. 

I  believe  H.R.  4585  is  a  positive  step  forward  to  providing  consumers  with 
protections  regarding  to  their  personal  financial  and/or  medical  information.  I  hope  that 
this  hearing  today  is  not  taken  lightly.  There  are  many  constituents  in  my  districts  who 
are  deeply  concerned  about  how  big  business,  now  with  access  to  their  medical  records, 
will  use  it  against  them. 

I  realize  today,  in  our  technological  society,  that  security  of  personal  information 
is  essential  if  commerce  in  cyberspace  is  to  flourish.  Consumers  should  have  access  to 
information  about  them  and  determine  whether  information  can  be  shared  with  third 
parties.  We,  as  members  of  this  committee  and  Congress,  have  a  responsibility  to 
continue  to  protect  consumer  interests  relative  to  this  sensitive  topic.  We  must  enact 
legislation,  like  H.R.  4585,  that  helps  to  clear  up  shades  of  gray  relative  to  information 
sharing  of  records  and  determining  the  appropriate  balance  for  the  consumer  relative  to 
their  property  and  privacy  rights. 

I  support  the  Chairman's  legislation  and  look  forward  to  this  hearing. 


70 


Statement  of  Congresswoman  Sue  Kelly 

Hearing  on  H.R.  4585,  the  Medical  Financial 

Privacy  Protection  Act 

June  14,  2000;  10:00  a.m.;  Room  2128,  Rayburn 

Thank  you  Mr.  Chairman. 

Chairman  Leach,  Mr.  LaFalce  I  would  like  to  thank  you  both  for  agreeing  to  hold  today's 
hearing  on  the  important  issue  of  medical  records  privacy.  Privacy  of  our  medical 
records  should  be  an  established  right  ~  this  is  common  sense.  Medical  information 
constitutes  the  most  personal  of  information,  which  should  not  be  shared  without  the 
clear  consent  of  the  individual. 

Around  this  time  last  year  the  House  passed  H.R.  10,  an  excellent  piece  of  legislation  to 
bring  our  financial  services  into  the  2  P  Century.  This  legislation  contained  the  greatest 
expansion  of  privacy  in  the  history  of  American  finance.  I  believe  this  was  the  right  thing 
to  do  for  America.  As  has  been  pointed  out,  some  believe  that  this  legislation  did  not  go 
far  enough,  and  while  we  can  advance  legislation  to  strengthen  these  provisions,  that  is  a 
far  easier  proposition  than  repealing  laws  which  have  gone  too  far. 

Last  year  the  House  passed  bill  contained  protections  for  personal  medical  information. 
Unfortunately,  this  provision  was  struck  in  conference.  It  is  time  for  that  mistake  to  be 
corrected. 

Chairman  Leach  has  done  an  excellent  job  of  crafting  the  bill  we  have  before  us  today. 
The  Medical  Financial  Privacy  Protection  Act  will  correct  the  mistake  made  last  year.  Of 
course,  as  with  most  legislation  we  can  always  polish  the  edges.  I  hope  that  in  this 
process  1  can  work  with  members  on  both  sides  of  the  aisle  to  firmly  establish  a 
reasonable  middle  ground.  On  an  issue  of  such  importance  it  is  far  too  easy  to  establish 
positions  from  which  one  can  claim  that  the  legislation  goes  too  far  or  not  enough.  I  hope 
we  can  all  come  together  in  a  mutual  effort  to  move  this  legislation  forward. 

In  some  cases  it  is  necessary  to  provide  personal  medical  information  to  insurance 
companies,  this  practice  should  not  be  hampered.  Insurance  companies  must  be  able  to 
make  clear  determinations  of  risk  when  considering  life  insurance  policies.  But  beyond 
these  legitimate  activities  this  information  must  be  kept  confidential. 

I  thank  the  witnesses  for  taking  the  time  to  join  us  here  today  to  share  with  us  their 
considerable  knowledge  so  we  can  arrive  at  a  solid,  mutually  agreed  on  piece  of 
legislation.  I  look  forward  to  discussing  these  issues  with  them. 

Again  I  thank  the  Chairman  and  yield  back  the  balance  of  my  time. 


71 

Statement  of 

HON.  JOHN  J.  LaFALCE 

Hearing  on  the  H.R.  4585-Medical  Financial  Privacy  Protection  Act 
Committee  on  Banking  and  Financial  Services 

June  14,  2000 


Mr.  Chairman,  this  morning's  hearing  continues  this  Committee's  work  on 
financial  privacy  which  we  began  two  years  ago  when  you  introduced  legislation  which  I 
co-sponsored  to  prohibit  pretext  calling  and  other  privacy  abuses,  and  I  introduced  a 
related  bill  to  impose  obligations  on  financial  institutions  to  protect  the  confidentiality  of 
customer  information.  I  am  pleased  to  say  that  both  proposals  were  enacted  into  law  as 
part  of  last  year's  Financial  Modernization  legislation  in  much  the  same  form  as  they 
were  originally  introduced. 

This  year  I  introduced  H.R.  4380,  a  comprehensive  proposal  developed  in  concert 
with  the  Administration  to  address  financial  privacy  broadly.  H.R.  4585,  which  the 
Chairman  has  introduced,  addresses  only  one  issue-medical  privacy-by  restricting  the 
use  and  disclosure  by  financial  institutions  of  personally  identifiable  health  and  medical 
information.  This  is  an  issue  not  included  in  the  legislation  adopted  last  year  and  not 
adequately  addressed  in  pending  HHS  privacy  regulations. 

Both  H.R.  4380  and  H.R.  4585  reflect  the  growing  bipartisan  recognition  that  the 
privacy  protections  adopted  last  year  do  not  go  far  enough  in  assuring  that  sensitive 
personal  information  will  be  protected  by  financial  institutions  and  that  additional 
protections  must  be  enacted. 

The  issue  of  medical  financial  privacy  eluded  us  last  year.  The  Committee  did 
adopt  a  narrow  provision  to  restrict  the  use  of  health  information  in  connection  with  credit 
decisions  that  was  replaced  by  a  broader  bipartisan  financial  privacy  proposal  on  the 
House  floor.  A  Commerce  Committee  proposal  to  restrict  the  disclosure  of  health-related 
information  by  insurance  companies-the  so-called  "Ganske"  provision-was  omitted  in 
conference  in  response  to  strong  bipartisan  concerns  that  it  might  preempt  pending  HHS 
privacy  regulations,  preempt  stronger  state  medical  privacy  laws,  and  permit  widespread 
sharing  of  sensitive  health  data  under  a  broad  exception  for  health  research.  All  the  major 
medical  and  hospital  associations,  patient  and  consumer  groups  and  privacy  advocates 
agreed  that  the  Ganske  language  created  greater  potential  privacy  problems  than  it 
resolved. 

Both  H.R.  4585  and  H.R.  4380  are  meritorious  proposals.  In  many  respects,  H.R. 
4585  is  comparable  to  the  medical  privacy  provisions  of  H.R.  4380.    I  do  have  some 
concerns,  however,  that  I'm  sure  can  be  worked  out,  about  specific  details  of  this  bill. 

But,  the  primary  limitation  of  H.R.  4585  is  that  it  applies  only  to  medical  and 
health  information.  The  higher  standard  of  protection  for  sharing  of  consumer  profiles 


72 


and  lists  should  apply  to  all  sensitive  financial  and  health  information.  The  new 
protections  for  consumer  access  and  correction  should  apply  to  all  sensitive  financial 
information.  The  stronger  standards  for  reuse  and  redisclosure  of  information  should 
apply  to  all  sensitive  financial  information  and  not  just  health  or  medical  information. 

In  short,  H.R.  4585  is  a  good  effort,  but  we  clearly  need  to  do  more.    If  consumers 
don't  want  their  financial  account  information  shared  with  affiliated  companies  without 
their  knowledge,  we  need  to  do  more  than  this  legislation.    If  consumers  object  to  having 
their  spending  habits  and  product  preferences  monitored  and  sold  or  shared  for  marketing 
purposes,  we  need  to  do  more  than  this  legislation.  If  consumers  don't  want  health  and 
insurance  information  taken  into  consideration  for  investment  or  employment  decisions, 
we  need  to  do  more  than  this  legislation.  If  American  consumers  want  to  have  the  same 
privacy  rights  being  given  to  European  customers  of  U.S.  institutions,  we  need  to  do  more 
than  this  legislation.  And  if  consumers  want  the  right  to  determine  if  their  financial 
records  are  accurate  and  up  to  date,  we  must  do  more  than  this  legislation. 

I  urge  today's  witnesses  not  to  confine  themselves  solely  to  the  topic  of  medical 
privacy,  and  would  welcome  any  comments  on  the  broader  aspects  of  the 
Administration's  privacy  proposals  as  contained  in  my  bill,  H.R.  4380,  or  any  other 
proposals  that  are  needed  to  assure  the  strongest  possible  privacy  protections  for 
America's  consumers. 

I  thank  the  Chairman  for  accommodating  the  Minority's  requests  for  witnesses  for 
today's  hearing-all  of  whom,  unfortunately,  are  in  the  fourth  panel-and  I  join  with  the 
Chairman  in  welcoming  all  of  today's  witnesses. 


73 


Opening  Statement  of 

Honorable  Barbara  Lee 

Full  Committee  on  Banking  and  Financial  Services 

Hearing  on  H.R.  4585,  the  Medical  Financial  Privacy  Protection  Act 

June  14,  2000 

Thank  you,  Mr.  Chairman  and  Mr.LaFalce,  and  thank  you  to  our  guests  who  have  come 
here  to  speak  on  the  right  of  individuals  to  medical  privacy.  Consumers  have  real  and  legitimate 
concerns  about  medical  privacy  and  financial  institutions. 

In  the  relationship  between  our  financial  institutions  and  the  consumer  the  core  value  of 
must  be  trust.  Financial  institutions  cannot  succeed  without  the  trust  of  their  customers. 

I  commend  the  Chairman  for  his  proposal  and  I  recognize  the  importance  of  this  issue. 
However  I  feel  that  we  as  a  body  should  be  doing  even  more  to  insure  the  privacy  of  our  citizens. 
I  especially  feel  this  is  important  when  dealing  with  the  privacy  of  medical  records. 

Medical  records  are  a  sensitive  subject.  Our  constituents  count  on  us  to  ensure  that  this 
system  remains  private.  Information  about  physical  and  mental  health  should  not  be  exposed  to 
the  prying  eyes  of  credit  checks  or  other  financial  transactions.  We  should  be  able  to  tell  our 
constituents,  "your  records  are  safe." 

As  we  discuss  medical  privacy,  we  should  consider  the  present  administration's  privacy 
initiative,  which  offers  a  more  comprehensive  approach  to  medical  privacy  for  consumers. 

Thank  you,  Mr.  Chairman  and  Ranking  Member  LaFalce,  for  having  this  hearing  on  this 
important  matter,  and  thank  you  to  our  guests  for  coming  here  and  speaking  to  us  today. 


74 


House  Banking  Committee 

Opening  Statement 

Rep.  Carolyn  B.  Maloney 

June  14,  2000 

Thank  you  Mr.  Chairman  for  holding  this  critical  hearing  on  consumer  privacy.  I  truly  hope  this 
is  a  sign  that  the  House  Republican  leadership  is  prepared  to  provide  consumers  with  greater 
privacy  protections  this  Congress. 

The  importance  of  this  issue  is  underscored  by  the  E-sign  legislation  on  the  floor  of  the  House 
today.  This  legislation  will  allow  increased  commerce  to  be  conducted  over  the  Internet. 

It  also  underlies  the  important  balance  that  must  be  struck  in  legislating  new  privacy  protections. 
Consumer's  financial  and  medical  information  must  be  accorded  significant  legal  protections  but 
privacy  must  be  crafted  so  that  the  pace  of  electronic  commerce  is  not  slowed. 

Without  additional  privacy  protections,  electronic  commerce,  and  especially  Internet-based 
financial  services,  could  be  undermined  if  consumers  are  not  confident  that  their  privacy  is  being 
protected. 

Last  year  this  Committee  took  a  small  first  step  in  ensuring  that  consumer  privacy  is  protected  as 
financial  institutions  continue  to  merge  and  as  the  economy  becomes  increasingly  digital. 

These  were  simple  common  sense  protections  that  give  consumers  the  opportunity  to  review 
their  fmancial  institution's  privacy  policies  and  the  opportunity  to  restrict  the  sharing  of  their 
information  fi^om  third-party  marketers. 

The  Chairman's  bill  includes  some  key  principles  -  especially  that  credit  decisions  should  not  be 
based  on  health  information.  However,  I  would  hope  that  as  this  Committee  continues  to  work 
on  consumer  privacy  that  Rep.  LaFalce's  legislation  providing  comprehensive  financial  privacy 
protections  is  a  focus  of  our  consideration. 

Thank  you  Mr.  Chairman.  I  yield  back  the  balance  of  my  time. 


75 


Statement  for  the  Record 

House  Committee  on  Banking  and  Financial  Services 

Hearing  on  the  Medical  Financial  Privacy  Protection  Act,  H.R.  4585 

Rep.  Edward  J.  Markey  (D-MA) 

June  14, 2000 

Chairman  Leach,  and  Ranking  Member  LaFalce,  I  thank  you  for  the  opportunity 
to  testify  before  you  today  on  one  of  the  most  important  issues  facing  our  nation. 

Privacy.  The  right  to  be  let  alone.  One  of  the  most  basic  values  of  our  society - 
an  old  value  threatened  by  a  new  economy.  The  question  of  the  hour  is  how  to  best 
approach  protecting  this  value  we  hold  so  sacred?  How  to  animate  our  new  economy  with 
our  old  values.  How  to  create  commerce  with  a  conscience. 

In  the  past,  privacy  concerns  triggered  thoughts  of  George  Orwell's  1984,  where 
the  greatest  threat  to  privacy  was  Big  Brother  -  the  government.  Today,  the  principal 
threat  to  personal  privacy  comes  from  the  desire  to  earn  Big  Bucks.  Corporate  greed  is 
what  drives  today's  threat  of  our  "right  to  be  let  alone".  And  because  of  this,  we  have 
fewer  and  fewer  privacy  keepers  and  more  and  more  personal  information  reapers. 

Right  now,  when  it  comes  to  your  financial  records,  there  are  very  few  protections 
to  prevent  a  financial  services  firm  from  disclosing  every  check  you've  ever  written, 
every  credit  card  charge  you've  ever  made,  the  medical  exam  you  got  before  you 
received  health  insurance.  And  as  you  sinf  the  Web,  there  are  no  rules  in  place  to  prevent 
various  web  sites  from  collecting  information  about  what  sites  you  are  viewing  and  how 
long  you  are  viewing  them.  If  you  buy  anything  over  the  Internet,  that  information  can 
be  linked  up  to  other  personal  identifiers  to  create  a  disturbingly  detailed  digital  dossier 
that  can  profile  your  lifestyle,  your  interests,  your  hobbies,  or  your  habits.  The  name  of 
the  game  is  Profiling  for  Profits  and  in  this  game  we  all  lose  -we  lose  our  right  to  keep 
our  personal  information  private. 

With  the  passage  of  last  year's  financial  services  bill  (Gramm-Leach-Bliley  Act) 
the  barriers  between  banks,  insurers  and  securities  firms  have  crumbled  allowing  for  the 
fi-ee  flow  of  information  between  these  newly  created  affiliates.  The  Gramm-Leach- 
Bliley  Act  provided  very  weak  privacy  protections  to  consimiers,  giving  them  no  right  to 
"opt  out"  of  having  their  personal,  nonpubUc  financial  information  transferred  to 
"affiliated"  third  partier  Furthermore,  there's  a  "joint  marketing  agreement"  provision 
that  allows  disclosures  of  a  customer's  information  to  nonaffiliated  third  parties  with 
which  the  institution  has  signed  a  contract.  These  two  loopholes  severely  compromise 
the  limited  "opt  out"  requirements  in  the  bill.  And  just  a  few  weeks  ago,  we  learned  that 
the  financial  regulators  have  decided  to  delay  full  implementation  of  even  these  minimal 
privacy  protections  until  July  2001 . 

So  you  see,  the  potential  for  invasions  of  privacy  are  everywhere,  when  you  click 
on  a  web  site,  when  you  pay  with  a  credit  card,  when  you  visit  your  doctor  and  share  your 
medical  information. 

Health  information  is  perhaps  the  most  sensitive  information  about  you  and  your 
family.  When  I  ask  you  to  picture  your  medical  record  I  would  bet  that  many  of  you 
picture  something  that  looks  like  a  file  folder  containing  the  documentation  of  your 
health  history  which  likely  could  include  some  of  the  most  personal  and  intimate  details 
of  your  life.  You  probably  imagine  this  record  in  your  doctor's  ofBce  or  your  local 


76 


hospital  locked  away  in  a  filing  cabinet,  the  keys  to  which  dangle  aroimd  the  neck  of  a 
trustworthy  nurse  who  looks  like  your  mother,  the  guardian  of  your  medical  information. 
But  as  I've  explained  here  today,  there  is  little  in  federal  law  to  protect  your  personal 
information  and  this  includes  your  medical  information. 

Health  information  privacy  has  been  of  great  concern  to  me.  Last  year  I 
introduced  a  comprehensive  medical  privacy  bill  -  the  Medical  Information  Privacy  and 
Security  Act,  H.R.  1057.  The  Senate  companion  bill  S.  573,  was  introduced  by  Senators 
Leahy  and  Kennedy.  In  addition,  I  joined  Mr.  Condit,  Mr.  Waxman  and  Mr.  Dingell  in 
introducing  the  Health  Information  Privacy  Act,  H.R.  1941. 

When  these  bills  were  introduced,  we  were  hopefiil  that  Congress  would  meet  the 
Health  Insurance  Portability  and  Accountability  Act  (HIPAA)  deadline  to  pass 
meaningfiil  medical  privacy  legislation  by  August  1999.  Unfortunately,  Congress  failed 
to  act.  Consequently,  HIPAA  required  the  Secretary  of  Health  and  Human  services  to 
promulgate  health  privacy  rules  -  however  the  statute  limits  HHS's  coverage  and  scope. 
Only  electronically  transmitted  information  is  covered,  and  only  health  information 
within  a  health  care  provider,  a  health  insurer  and  health  data  clearinghouses. 

Given  the  threats  to  health  privacy  that  the  Gramm-Leach-Bliley  Act  left 
unaddressed,  I  commend  the  Chainnan's  efforts  to  protect  sensitive  health  information 
through  the  bill  H.R.  4535.  However,  just  as  we  need  a  broad  approach  to  medical 
privacy,  I  believe  we  also  need  a  broad  approach  to  financial  privacy.  Unfortunately,  Mr. 
Leach's  privacy  bill  fails  to  protect  all  information  housed  in  a  financial  holding 
company  and  it  fails  to  close  the  gaping  loopholes  under  the  financial  services  bill  which 
allow  for  the  sharing  of  personal  financial  information  with  affiliates  and  non-affiliated 
third  parties.  Under  the  Leach  bill,  a  customer  has  no  right  "opt-out"  of  the  sharing  of 
personal  financial  information  that  provided  to  a  bank  when  filling  out  a  loan  application 
or  to  a  securities  firm  when  opening  a  brokerage  account. 

Last  November,  I  introduced  The  Consumer's  Right  to  Financial  Privacy  Act, 
H.R.  3320  to  close  the  privacy  loopholes  created  by  Gramm-Leach-Bliley  and  to  provide 
strong,  comprehensive  privacy  protections  for  all  personal  information.  Currently  the  bill 
has  the  bipartisan  support  of  71  Members.  I  am  also  a  lead  cosponsor  of  The  Consumer 
Financial  Privacy  Bill,  H.R.  4380,  introduced  by  Ranking  Member  LaFalce.  This  bill 
also  provides  comprehensive  protections  for  all  personal  information  and  requires  an 
"opt-in"  for  medical  information  and  personal  spending  habits.  It  also  closes  the  Gramm- 
Leach-Bliley  privacy  loopholes  which  allow  for  privacy  assaults  on  personal  financial 
information. 

Participation  in  the  new  economy  shouldn't  come  with  the  price  of  privacy.  In 
creating  commerce  with  a  conscience,  we  need  to  do  more  -  not  less—  in  protecting  our 
personal  information.  I  urge  this  committee  to  support  a  more  comprehensive  approach 
to  protecting  all  personal  information  within  a  bank  holding  company,  and  to  support 
closing  the  gaping  privacy  loopholes  which  exist  in  our  current  law. 

I  thank  you  for  this  opportunity  to  express  my  views  and  look  forward  to  working 
with  you  on  this  extremely  important  issue. 

#  #  # 


77 

OPENING  STATEMENT 
Hon.  Marge  Roukema 

Hearing  on  the  "Medical  Financial  Privacy  Protection  Act" 

June  14,  2000 


Today  the  Committee  will  be  addressing  a  topic  that  is  important  to  all  Americans — the 
right  to  expect  that  personal  health  and  medical  records  will  remain  private.  I  thank  the 
Chairman  for  holding  these  important  hearings. 

At  the  outset,  I  want  to  remind  everyone  that  I  strongly  supported  the  landmark  financial 
privacy  protections  in  the  Gramm-Leach-Bliley  Act.  They  are  important  protections  and  serve  as 
a  strong  foundation  on  which  we  most  likely  will  have  to  continue  to  build.  In  crafting  these 
protections,  I  worked  closely  with  my  colleagues  on  both  sides  of  the  aisle:  Mr.  LaFalce,  Mr. 
Vento,  Mr.  Oxley,  Ms.  Pryce,  and  Mr.  Frost.  In  the  end,  the  House  approved  the  privacy 
protections  by  an  overwhelming  427-1  margin.  Clearly,  Congress  has  shown  that  it  recognizes 
the  importance  of  privacy  protections  and  can  work  together  in  a  bipartisan  basis.  The  regulatory 
agencies  have  recently  issued  final  rules  implementing  these  financial  privacy  provisions.  My 
Subcommittee  will  be  holding  oversight  hearings  on  these  rules  in  late- July.  It  is  my  opinion 
that  additional  legislation  relating  to  the  privacy  of  financial  records  is  not  appropriate  until  the 
regulators  gain  some  experience  operating  under  the  final  rules. 

Today,  however,  we  specifically  address  the  privacy  of  medical  records.  I  want  to 
emphasize  that  fimdamental  medical  privacy  protections  were  originally  included  in  the  House- 
approved  version  of  the  financial  modemizafion  bill.  To  fiirther  analyze  this  issue,  my 
Subcommittee  held  two  days  of  hearings  last  July  on  both  financial  and  medical  privacy.  We 
heard  then  fi-om  many  of  the  same  witnesses  that  we  will  hear  fi-om  today.  At  that  hearing,  some 
of  the  witnesses  expressed  concerns  relating  to  the  medical  privacy  provisions.  I  supported 
working  out  the  areas  of  concern  discussed  at  the  hearing  during  the  House/Senate  Conference  so 
that  the  medical  privacy  provisions  were  kept  in  the  bill.  However,  at  the  insistence  of  the 
Administration  and  my  Democratic  colleagues,  the  medical  privacy  protections  were  dropped 
fi-om  the  bill  during  the  Conference.  Now  it  is  our  job  to  determine  how  best  to  move  forward  on 
medical  privacy  protections  in  separate  legislation.  It  is  critical  that  political  considerations  not 
undermine  our  efforts,  and  I  believe  that  we  will  be  able  to  work  together  in  a  bipartisan  maimer. 

I  should  emphasize  at  this  point  that  addressing  medical  privacy  protections  is  a 
complicated  issue.  There  are  several  substantive  concerns  that  must  be  addressed  that  I  hope  the 
witnesses  will  discuss  with  specificity.    Questions  that  need  to  be  answered  include:  Are  the 
limits  on  re-use  of  medical  information  adequate?  Are  the  exceptions  to  the  prior  notification 
and  consent  requirement  tailored  to  ensure  that  there  are  no  loopholes?    What  is  the  status  and 
the  scope  of  medical  privacy  standards  being  developed  by  HHS  under  the  authority  of  the 
Health  Insurance  Portability  and  Accountability  Act?  How  can  industry  concerns  over  the 
consumer's  right  to  access  and  correct  medical  information  held  by  a  financial  institution  be 
resolved?  I  look  forward  to  today's  testimony  for  guidance  on  these  issues,  and  with  that,  I  yield 
back. 


78 


TREASURY  UNDER  SECRETARY  GARY  GENSLER 
HOUSE  COMMITTEE  ON  BANKING  AND  FINANCIAL  SERVICES 

Mr.  Chairman,  Ranking  Member  LaFalce,  and  Members  of  the  Committee,  thank  you 
for  inviting  me  here  this  morning  to  present  the  Administration's  views  on  personal  fmancial 
privacy.  I  am  pleased  to  have  the  opportunity  to  discuss  these  important  issues,  and  to 
comment  on  H.R.  4585,  the  Medical  Financial  Privacy  Protection  Act  introduced  by  Chairman 
Leach  last  week. 

Protecting  consumers'  privacy  is  of  the  utmost  impxjrtance  to  the  President  and  the 
entire  Administration.  We  want  to  work  with  Congress  to  provide  Americans  with  the 
comprehensive  financial  privacy  protections  they  expect  and  deserve.  Our  financial  system's 
future  growth  rests  in  no  small  part  on  continued  consumer  confidence.  Effective  privacy 
protections  are  an  important  foundation  for  that  confidence.  While  we  made  some  significant 
progress  toward  this  goal  in  the  financial  modernization  bill  signed  by  the  President  last  year, 
we  believe  more  work  can  and  should  be  done  in  this  area. 

To  that  end,  the  President  announced  an  important  new  legislative  proposal  in  April, 
2000  to  provide  Americans  with  fully  effective  financial  privacy  protections.  The  plan 
enhances  consumer  choice  and  control  in  several  important  ways.  In  particular,  it  provides 
special  protections  for  especially  sensitive  information,  including  the  use  of  medical 
information  in  financial  settings. 

My  testimony  is  divided  into  four  main  parts: 

■  First,  I  will  discuss  the  importance  of  privacy  protections  and  the  changes  in  the  financial 
services  industry  that  are  making  this  an  ever-more  important  issue. 

■  Second,  I  will  review  last  year's  efforts  to  improve  personal  privacy  protections,  including 
the  provisions  in  the  financial  modernization  bill. 

■  Third,  I  will  outline  the  President's  comprehensive  Consumer  Financial  Privacy  Act 
initiative. 


79 


•     Finally,  I  would  like  to  comment  on  medical  privacy,  and  discuss  the  bill  introduced  last 
week  by  Chairman  Leach. 

I.  The  Importance  of  Privacy  in  America's  Changing  Financial  Markets 

Personal  privacy  is  a  fundamental  and  highly  prized  American  right.  From  our  nation's 
earliest  days,  citizens  have  been  concerned  about  intrusions  into  their  private  lives,  and  have 
fought  to  protect  themselves  from  unwarranted  invasions  of  their  privacy.  Over  time,  ideas 
regarding  what  constitutes  appropriate  privacy  protection  have  changed  as  our  society  and 
economy  have  evolved. 

Many  Americans  increasingly  feel  their  privacy  threatened  by  those  with  whom  they  do 
business.  These  concerns  are  particularly  acute  when  it  comes  to  the  privacy  of  financial 
information,  because  financial  data  can  be  used  to  paint  such  a  detailed  portrait  of  an 
individual's  life.  Financial  institutions  and  other  firms  are  able  to  consolidate  and  process 
information  about  individuals'  spending  and  investing  habits  in  ways  that  were  almost 
inconceivable  even  a  decade  ago. 

These  capabilities  are  increasing  public  anxiety  about  just  who  has  access  to  sensitive 
financial  information,  and  what  they  will  be  able  to  do  with  it.  A  significant  majority  of 
Americans  are  deeply  concerned  about  the  effects  that  changes  in  technology  are  having  on 
their  ability  to  preserve,  in  the  words  of  Justice  Louis  Brandeis,  "the  right  to  be  let  alone." 

Americans  want  the  ability  to  earn,  invest,  and  spend  their  money  without  having  to 
worry  about  that  information  being  obtained  -  and  perhaps  used  to  their  disadvantage  -  by 
firms  unknown  to  them,  or  having  that  information  open  to  inspection  by  the  world  at  large. 
Just  as  we  do  not  expect  letter  carriers  to  read  our  mail,  we  do  not  expect  financial  institutions 
to  amass  information  about  our  transactions,  consolidate  and  process  it,  and  use  it  for  purposes 
that  we  never  intended.  We  are  in  the  midst  of  three  sea-changes  in  the  financial  services 
sector,  however,  that  make  such  uses  of  information  an  increasing  possibility:  industry 
consolidation,  a  technological  revolution,  and  a  move  away  from  cash  towards  electronic 
transactions. 

Changes  in  Industry  Structure.  Integration  and  consolidation  in  the  financial  sector  is 
changing  the  outlook  for  data  privacy.  Banks  have  moved  into  insurance  and  securities 
activities,  insurance  companies  offer  products  that  comp>ete  with  bank  products,  and  investment 
banks  are  in  the  lending  business.  Thanks  to  the  hard  work  of  Chairman  Leach,  Ranking 
Member  LaFalce,  Members  of  this  Committee,  and  many  others,  last  year  the  President  was 
able  to  sign  into  law  a  financial  modernization  package  that  finally  eliminated  legal  barriers  to 
this  consolidation.  These  changes  will  bring  considerable  benefits  to  consumers  in  the  form  of 
increased  competition  and  greater  innovation.  The  desire  of  integrated  financial  services  firms 
to  profit  from  their  scale  has  created  a  powerful  incentive  to  treat  consumer  data  as  a  business 
asset,  however,  which  raises  concerns  about  how  that  information  will  be  used  and  controlled. 


80 


Technological  Advances.  Changes  in  technology  have  brought  the  ability  to  generate, 
process,  and  use  infonnation  in  ways  unimagined  when  most  of  our  commercial  and  consumer 
protection  laws  were  written.  These  advances  have  been  particularly  important  in  the  financial 
sector,  where  firms  are  spending  billions  of  dollars  each  year  on  computers  and  software  to 
reduce  costs  and  improve  service.  These  increasingly  sophisticated  tools  and  larger  stores  of 
transaction  and  other  financial  information,  however,  have  given  consumers  pause  about  the 
potential  uses  of  the  data  held  by  banks,  insurers,  and  other  financial  firms. 

The  Move  to  Electronic  Transactions.  Finally,  the  explosion  in  the  use  of  electronic 
payments  and  receipts  is  also  driving  concerns  about  data  handling  and  use.  -Americans' 
increasing  use  of  credit  cards,  debit  cards  and  (more  recently)  electronic  bill  payment  in  lieu  of 
cash  now  allows  financial  services  companies  to  collect  a  far  greater  amount  of  information  on 
each  individual's  transactions. 

Taken  together,  these  three  trends  -  industry  consolidation,  technological  advances,  and 
the  movement  from  cash  to  electronic  payments  and  receipt  systems  -  provide  financial 
services  firms  with  powerful  incentives  to  mine  consumer  information  for  profit,  and  the  tools 
with  which  to  do  so.  The  challenge,  therefore,  is  to  protect  the  privacy  of  consumers  while 
preserving  the  benefits  of  competition  and  innovation. 

II.  Efforts  to  Enhance  Financial  Privacy  Protections 

This  Administration  took  steps  to  address  these  challenges  in  May  of  1999,  when  the 
President  announced  his  plan  for  Financial  Privacy  and  Consumer  Protection  in  the  21" 
Century.  That  initiative  recognized  that  while  many  firms  collect  information  about  us, 
financial  institutions  have  access  to  a  unique  window  on  the  lives  of  most  Americans.  While  a 
grocery  store  may  learn  something  about  the  food  you  buy,  and  a  department  store  may  know 
what  kind  of  clothes  you  prefer,  banks,  insurers,  and  brokerage  firms  collect  a  range  of 
information  that  is  particularly  comprehensive  and  personal.  By  processing  all  of  your 
transactions,  a  bank  or  credit  card  company  can  know  much  more  about  you  than  any 
individual  merchant.  This  information  can  also  be  particularly  sensitive.  A  list  of  each 
prescription  drug  you  purchase  or  each  stock  you  buy  is  more  revealing  -  and  potentially  more 
open  to  misuse  -  than  a  list  of  the  music  CDs  you  buy. 

With  this  in  mind,  the  President  recommended  legislation  to  provide  consumers  with 
notice  and  choice  before  their  financial  information  is  shared  or  sold  -  the  right  to  say  "no"  to 
uses  of  information  that  individuals  find  invasive  or  inappropriate.  Central  to  this  policy  is  the 
idea  that  a  consumer's  financial  information  belongs  to  the  consumer,  not  the  financial 
institution  that  processes  the  transactions. 

At  the  time  this  announcement  was  made,  in  the  midst  of  the  financial  modernization 
debate,  the  President's  agenda  struck  many  as  ambitious.  Some  suggested  that  the  American 
people  did  not  feel  particularly  strongly  about  privacy  issues,  and  that  in  any  case  Congress 
was  not  prepared  to  act  on  legislation  in  this  area.  Clearly,  the  last  twelve  months  have  shown 
otherwise. 


81 


Although  privacy  was  not  initially  part  of  the  financial  services  debate,  this 
Administration  felt  strongly  that  if  the  rules  for  industry  structure  were  being  modernized, 
critical  protections  for  consumer  data  had  to  be  updated  as  well.  The  final  bill  made  progress 
toward  that  goal.  We  believe  that  the  new  law's  requirements  for  clearly  sUted  privacy 
policies,  for  effective  notices  to  consumers,  and  for  the  right  to  opt-out  of  third-party 
information  sharing  are  important  advances  in  privacy  protection  for  all  Americans. 

This  Administration  believes,  however,  that  much  more  can  and  should  be  done  on 
financial  privacy.  When  the  President  signed  the  financial  modernization  act,  he  said,  "I  do 
not  believe  that  [its]  privacy  protections  go  far  enough."  He  continued,  "Without  restraining 
the  economic  potential  of  new  business  arrangements,  I  want  to  make  sure  that  every  family 
has  meaningful  choices  about  how  their  personal  information  will  be  shared  within  corporate 
conglomerates.  We  can't  allow  new  opportunities  to  erode  old  and  fundamental  rights." 

III.  The  Consumer  Financial  Privacy  Act 

On  April  30,  2000,  the  President  announced  a  new  initiative  to  provide  Americans  with  the 
additional  protections  he  promised.  That  legislation  is  now  before  Congress  as  H.R.  4380,  the 
Consumer  Financial  Privacy  Act.  This  bill  takes  a  balanced,  comprehensive  approach  to 
financial  privacy,  providing  important  new  rights  and  protections  while  addressing  deficiencies 
in  last  year's  legislation.  I  would  like  to  take  a  few  minutes  to  describe  the  proposal. 

Opt-In  Protection  for  Especially  Sensitive  Inrormation.  A  central  Administration 
principle  regarding  privacy  is  that  the  greater  the  sensitivity  of  the  data  and  the  possible  harm 
from  misuse,  the  greater  should  be  the  level  of  privacy  protection.  The  Consumer  Financial 
Privacy  Act  therefore  calls  for  the  strongest  protections  in  two  highly  sensitive  areas:  the 
sharing  of  medical  information  by  financial  institutions,  and  the  use  of  detailed  personal 
spending  habits  information  about  individual  consumers.  In  these  areas  we  have  set  the  bar 
high,  requiring  institutions  to  get  affirmative  ("opt-in")  consent  from  consumers  before 
information  sharing  can  occur. 

•  Medical  Information.  A  consumer  seeking  a  loan  or  other  financial  products  such  as 
investment  advice  or  auto  insurance  should  not  have  to  worry  that  an  institution  is  making 
decisions  based  on  personal  medical  records  received  from  a  life  insurance  affiliate.  Life 
insurance  databases  should  not  become  the  new  source  for  marketing  campaigns  based  on 
medical  information.  The  Consumer  Financial  Privacy  Act  would  assure  that  companies  do 
not  gain  any  special  access  to  medical  records  by  being  part  of  a  financial  holding  company. 
Consumers  would  have  to  give  affirmative  consent  before  any  financial  firm  could  even 
receive  medical  information  from  a  life  insurance  affiliate  or  other  company. 

•  Personal  Spending  Information.  Americans  do  not  expect  a  bank  processing  checks  or 
credit  card  payments  to  take  their  most  sensitive  financial  information  and  share  that 
information  with  others.   Under  the  Administration's  proposal,  a  financial  firm  would  not  be 


82 


permitted  to  transfer  individualized,  personal  spending  habits  -  where  people  spend  their 
money,  where  they  earn  their  money,  and  what  they  buy  -  unless  a  customer  affirmatively 
consents  to  such  a  use  of  their  information. 

Opt-Out  Protection  for  Other  Financial  Information.  For  other  less  sensitive 
categories  of  financial  information,  we  believe  that  consumers  should  have  meaningful  choice  - 
the  opportunity  to  opt-out  -  before  a  financial  services  firm  can  share  their  financial  data  with 
any  other  entity  for  marketing  purposes.  Last  year's  legislation  granted  important  rights  to  opt 
out  of  information  sales  to  telemarketers  and  other  unaffiliated  firms.  The  Consumer  Financial 
Privacy  Act  would  extend  those  protections  to  information  shared  within  financial 
conglomerates.  In  a  world  where  affiliates  can  engage  in  activities  ranging  from  data 
processing  to  travel  agency,  consumers  deserve  to  have  as  much  control  over  flows  of 
information  to  affiliates  as  they  do  over  those  to  third  parties. 

The  Administration  proposal  would  also  close  the  exception  for  "joint  marketing"  in 
last  year's  bill.  This  provision  would  constitute  an  unnecessary  loophole  when  there  is  opt-out 
choice  for  affiliate  sharing. 

Exceptions  for  Important  Business  Practices.  The  Consumer  Financial  Privacy  Act 
would  preserve  financial  firms'  ability  to  share  information  for  important  business  practices  by 
providing  exceptions  from  consumer  choice  for  transaction  processing,  risk  management,  fraud 
prevention,  and  to  aid  in  law  enforcement.  In  addition,  the  proposal  will  provide  a  new 
exception  to  facilitate  the  development  of  innovative  customer  service  tools  such  as 
consolidated  monthly  statements  and  call-in  centers  that  can  access  information  from  affiliated 
firms  at  a  customer's  request. 

These  exceptions  are  crucial  for  the  growth  of  our  financial  industries.  They  must  be 
subject,  however,  to  appropriate  reuse  limitations.  We  include  such  limitations  in  order  to 
prevent  abuses. 

The  Administration's  proposal  thus  achieves  the  goal  of  matching  the  level  of  protection 
to  the  sensitivity  of  the  personal  information  involved  and  the  potential  abuses  of  such 
information.  For  the  most  sensitive  data  on  health  and  comprehensive  personal  spending 
habits,  we  call  for  opt-in  consent.  For  other  types  of  financial  information,  consumers  should 
have  the  right  to  opt-out  of  sharing  for  marketing  and  other  purposes.  Where  important 
business  practices  require  information  sharing,  we  provide  exceptions  to  consumer  choice,  but 
make  sure  that  consumers  are  protected  by  reuse  restrictions. 

Additional  New  Privacy  Protections.  Beyond  notice  and  consumer  choice 
requirements,  the  Administration  proposal  provides  additional  protections  in  several  key  areas, 
including: 

■  The  right  for  consumers  to  access  and  correct  information  held  by  financial  institutions,  to 
ensure  that  firms  are  not  deciding  whether  to  offer  them  services  based  on  mistaken 
information  about  their  financial  status; 


83 


■  Additional  enforcement  authority  for  the  Federal  Trade  Commission  and  State  Attorneys 
General; 

■  Stricter  limits  on  redisclosure  and  reuse  of  customer  information;  and 

•     Giving  consumers  the  tools  to  comparison  shop  by  requiring  institutions  to  provide  privacy 
policy  notices  up  front  or  upon  request. 

The  Administration  strongly  favors  a  comprehensive  approach  to  providing  additional 
privacy  protections.  We  found  that  last  year's  bill,  as  important  as  it  was,  did  not  go  far 
enough,  compelling  us  to  call  for  additional  legislation.  We  feel  that  our  proposal  covers  the 
necessary  ground,  filling  the  gaps  in  the  financial  modernization  act,  and  including  important 
new  protections.  The  American  people  want  and  deserve  these  privacy  protections  now,  for 
the  full  range  of  issues  addressed  in  the  President's  proposal. 

We  are  pleased  that  so  many  members  of  the  House  jmd  Senate  have  supported  this 
approach,  and  have  sponsored  these  proposals  in  Congress.  Improving  financial  privacy 
protections  is  a  priority  for  so  many  members  of  this  Committee.  I  would  especially  like  to 
thank  Ranking  Member  LaFalce  for  being  the  lead  sponsor  of  H.R.  4380  in  the  House.  I  also 
thank  the  other  Members  of  this  Committee  who  are  among  the  many  co-sponsors  of  this 
comprehensive  legislation. 

IV.  Medical  Privacy  and  Financial  Services 

Let  me  turn  now  more  specifically  to  the  issue  of  medical  privacy  in  the  financial 
context.  This  Administration  firmly  believes  that  all  Americans  should  be  protected  against  the 
misuse  of  their  highly  sensitive  health  and  medical  data.  We  feel  that  there  is  broad  agreement 
in  the  private  sector  and  among  the  public  that  improving  medical  privacy  is  the  right  thing  to 
do. 

We  are  deeply  committed  to  providing  consumer  control  and  rigorous  statutory 
safeguards  in  the  area  of  medical  privacy.  Congress  and  the  Administration  worked  together 
in  1996  to  enact  the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA).  HIPAA 
called  for  enactment  of  comprehensive  privacy  legislation  by  August  1999,  and  instructed  the 
Department  of  Health  and  Human  Services  to  issue  rules  if  that  deadline  were  not  met. 
President  Clinton  announced  the  proposed  rules  last  October.  He  has  pledged  that  final 
medical  privacy  regulations  will  be  issued  this  year.  By  its  terms,  HIPAA  applies  only  to 
"covered  entities"  such  as  health  providers,  health  plans  (including  health  insurance 
companies),  and  health  clearinghouses.  Its  protections  do  not  apply  to  most  financial 
institutions,  including  life,  auto,  workers'  compensation,  property  and  casualty,  and  many 
disability  insurance  companies.  The  Consumer  Financial  Privacy  Act  and  H.R.  4585  would 
provide  the  first  specific  federal  protections  for  medical  information  in  financial  institutions 
that  are  not  covered  by  HIPAA. 


84 


As  we  have  seen  in  past  attempts  to  address  medical  privacy  in  the  financial  context,  it 
can  be  difficult  to  reach  solutions  that  do  not  have  unintended  consequences.  In  last  year's 
financial  modernization  debate,  proposals  were  offered  that  addressed  some  issues,  but  could 
have  seriously  undermined  other  crucial  medical  privacy  initiatives. 

For  instance,  measures  under  consideration  last  year  would  have  preempted  the  HIPAA 
regulations  that  HHS  is  now  in  the  process  of  making  final.  The  provisions  would  have 
exempted  the  health  information  they  did  cover  from  the  re-use  restrictions  of  the 
modernization  bill,  providing  a  significant  loophole  for  the  inappropriate  release  of  confidential 
health  information.  They  also  would  have  permitted,  under  the  guise  of  "research," 
exceptions  for  the  sharing  of  large  volumes  of  extremely  sensitive  medical  information  that 
would  be  prohibited  under  the  proposed  HHS  rules.  Ultimately,  these  provisions  were  not 
included  in  the  final  bill  so  that  the  issues  could  be  examined  more  thoroughly. 

We  have  looked  closely  at  these  issues  in  the  ensuing  months,  in  consultation  with  HHS 
and  others.  We  believe  that  our  new  proposal  provides  appropriately  strong  protections  for  the 
use  of  health  information  in  the  context  of  financial  products  and  services.  We  believe  it  meets 
the  central  challenges  I  just  mentioned.  The  proposal: 

■  Addresses  the  use  of  medical  information  in  a  broad  context,  covering  the  provision  of  all 
financial  products  and  services; 

•  Avoids  broad  exceptions  that  could  render  the  protections  ineffective;  and 

■  Clarifies  that  nothing  in  the  financial  modernization  laws  would  modify  or  supersede 
HIPAA's  privacy  protections,  preserving  the  effectiveness  of  these  important  rules. 

H.R.  4585,  The  Medical  Financial  Privacy  Protection  Act 

Mr.  Chairman,  by  convening  this  hearing  you  are  creating  a  much  appreciated 
opportunity  to  discuss  the  important  issues  surrounding  financial  privacy.  Your  legislation  is 
focused  specifically  on  medical  privacy.  While  we  continue  to  believe  that  it  is  necessary  to 
seek  legislation  that  provides  comprehensive  privacy  protections,  your  bill  offers  a  starting 
point  for  consideration  of  several  issues  that  we  know  will  be  an  important  part  of  a  truly 
effective  privacy  regime.  Your  bill,  H.R.  4585,  seeks  to  address  the  privacy  of  medical 
information  in  four  primary  ways: 

•  In  the  context  of  making  decisions  about  a  loan  or  other  extension  of  credit,  an  institution 
may  not  receive  or  use  health  information  about  a  consumer  from  another  company  unless 
it  has  provided  notice  and  obtained  affirmative  consent. 

■  The  bill  bars  financial  institutions  from  disclosing  medical  information  to  affiliates  or  third 
parties  without  providing  notice  and  obtaining  opt-in  consent. 


85 


•  An  institution  must  obtain  affirmative  opt-in  consent  before  it  can  transfer  detailed  personal 
health  spending  information  about  a  consumer  to  an  affiliate  or  third  party. 

■  Institutions  must  provide  consumers  with  access  to,  and  the  opportunity  to  correct, 
individually  identifiable  health  information.  The  bill  also  provides  additional  protections 
for  the  reuse  of  health  information,  and  for  mental  health  information. 

Mr.  Chairman,  we  appreciate  your  personal  involvement  in  this  area.  You  have 
introduced  legislation  that  furthers  the  debate  on  these  critically  important  issues.  There  is 
common  ground  between  your  bill  and  the  Administration's  proposal  regarding  -  financial 
medical  privacy.  H.R.  4585  does  differ  in  significant  respects,  however,  from  the 
Administration's  proposal.  While  there  are  a  number  of  other  issues,  let  me  highlight  our  two 
most  important  concerns. 

Scope  of  the  Bill.  We  believe  that  financial  privacy  legislation  should  address  the  full  range  of 
important  consumer  protections.  The  Administration's  Consumer  Financial  Privacy  Act 
addresses  the  full  range  of  important  financial  privacy  issues  that  now  face  the  American 
people.  It  would,  among  other  measures,  provide  opt-in  protection  for  consumer  personal 
spending  habits;  require  customer  choice  before  information  is  shared  among  corporate 
affiliates;  provide  customers  with  access  to  and  the  ability  to  correct  their  financial  records; 
assure  that  privacy  policies  will  be  available  for  comparison  shopping;  and  enhance 
enforcement  authorities  where  needed. 

H.R.  4585,  by  contrast,  is  a  narrower  bill  that  addresses  only  the  medical  privacy 
issues  covered  by  the  Consumer  Financial  Privacy  Act.  Some  of  the  issues  I  just  noted,  such  as 
personal  spending  habits,  access,  and  reuse,  are  included  in  H.R.  4585,  but  solely  as  it  relates 
to  personal  health  information.  Medical  privacy  within  the  financial  services  industry  is  vitally 
important,  but  is  only  one  of  the  financial  privacy  issues  that  must  be  addressed.  American 
consumers  want  and  deserve  a  broad  set  of  protections. 

Receipt  and  Use  Provisions.  The  provisions  in  H.R.  4585  concerning  "use  or  receipt"  of 
medical  information  apply  only  to  "a  loan  or  credit  to  a  consumer."  We  feel  that  it  is  crucial 
to  apply  the  privacy  protections  beyond  the  "loan  or  credit"  setting.  A  provision  that  applies  to 
disclosure  and  use  of  health  information  only  with  respect  to  "loans  or  credit"  would  permit 
uses  of  health  information  in  situations  involving  mariceting  and  other  financial  settings.  It  is 
unclear  why  the  use  of  sensitive  medical  information  should  be  subject  to  restrictions  in  the 
provision  of  a  loan,  but  not  in  the  provision  of  investment  advice,  auto  insurance,  travel 
services,  or  any  of  the  many  other  non-credit  products  now  permitted  in  financial  holding 
companies. 

An  additional  provision  in  the  President's  receipt  and  use  proposals  provides  that  a 
financial  services  firm  can  only  receive  or  use  medical  information  from  an  affiliate  or  third 
party  that  it  requires  of  all  of  its  customers  for  a  particular  product  or  service.  The  language 
in  H.R.  4585  that  seems  to  address  this  same  topic  is  unclear,  and  may  have  unintended 
consequences. 


86 


Conclusion 

Mr.  Chairman,  thank  you  for  providing  this  forum  for  the  discussion  of  these  critically 
important  issues.  This  hearing  provides  a  starting  point  for  a  thorough  consideration  of  the 
range  of  privacy  issues  raised  by  changes  in  technology  and  in  our  financial  markets. 

This  is  a  historic  opportunity  to  get  financial  privacy  right  -  to  put  in  place  all  of  the 
protections  that  American  citizens  want  and  need.  In  addition,  we  all  recognize  the  special 
sensitivity  of  personal  medical  information.  The  Administration  supports  having  effective  laws 
in  place  that  match  the  sensitivity  of  such  data.  There  is  common  ground  between  Chairman 
Leach's  bill  and  the  Administration  approach.  At  the  same  time,  we  should  also  address  the 
other  vital  issues  that  are  included  in  the  Consumer  Financial  Privacy  Act.  To  do  otherwise  is 
to  miss  out  on  the  chance  to  complete  the  work  that  was  begun  in  last  year's  law. 

We  look  forward  to  working  with  you,  Congressman  LaFalce,  and  other  Members  of 
Congress  to  provide  all  Americans  with  comprehensive  financial  privacy  protections. 


-30- 


87 


Testimony 

of  the 

National  Association  of  Insurance  Commissioners 

Before  the 

United  States  House  of  Representatives 

Committee  on  Banking  and  Financial  Services 

on 

H.R.  4585 

Privacy  of  Health  Information 


June  14,  2000 


National  Association  of  Insurance  Commissioners 
David  Wetmore.  Director 

Federal  and  International  Relations 
444  North  Capitol  St.,  NW  Suite  701 
Washington,  DC  20001-1512 
Tel:  202-624-7790 
Fax:  202-624-8579 


88 


I.  Introduction 

Good  morning,  Mr.  Chairman  and  members  of  the  Committee.  My  name  is  Kathleen 
Sebelius.  I  am  the  elected  Insurance  Commissioner  for  the  State  of  Kansas,  and  I  am 
testifying  today  as  Vice  President  of  the  National  Association  of  Insurance 
Commissioners  (NAIC).  I  also  chair  the  NAIC's  Health  Insurance  and  Managed  Care 
Committee  and  the  NAIC  Privacy  Issues  Working  Group,  both  of  which  have  devoted 
much  time  and  energy  to  the  subject  before  us  today.'  I  am  accompanied  by  the  Vice- 
Chair  of  the  working  group,  Glenn  Pomeroy,  Insurance  Commissioner  of  the  state  of 
North  Dakota  and  a  past  president  of  the  NAIC. 

Let  me  begin  by  thanking  you,  Mr.  Chairman,  for  giving  the  NAIC  this  chance  to  testify 
on  the  subject  of  health  information  and  offer  our  views  and  comments  on  your  new 
legislation,  H.R.  4585,  the  "Medical  Financial  Privacy  Protection  Act."  We  have  testified 
five  times  previously  on  health  information  privacy  before  the  106"'  Congress. 

The  NAIC  has  a  long  history  of  working  to  protect  the  health  information  of  consumers, 
and  we  are  now  working  very  actively  to  guide  state  implementation  of  the  new  Title  V 
consumer  privacy  provisions  under  the  construct  of  the  Gramm-Leach-Bliley  Act 
(GLBA). 

My  testimony  today  will  focus  on:  (1)  the  need  for  privacy  protection  of  health 
information  in  GLBA;  (2)  NAIC's  activity  on  privacy  and  implementing  GLBA 
regulations;  and  (3)  comparison  of  H.R.  4585  to  the  NAIC  Health  Information  Privacy 
Model  Act. 


'  The  NAIC,  founded  in  1 87 1 ,  is  the  organization  of  the  chief  insurance  regulators  from  the  SO  states,  the 
District  of  Columbia,  and  four  of  the  U.S.  territories.  The  NAIC's  objective  is  to  serve  the  public  by 
assisting  state  insurance  regulators  In  fulfilling  their  regulatory  responsibilities.  Protection  of  consumers  is 
the  fundamental  purpose  of  insurance  regulation. 


89 


II.        The  Need  for  Privacy  Protection  of  Health  Information  in  GLBA 

When  you  ask  consumers  about  protection  of  their  personal  information,  they  think 
health  information  is  the  most  sensitive  and  expect  a  greater  level  of  protection  for  their 
personal  health  information.  Unfortunately,  GLBA  does  not  reflect  consumers' 
legitimate  concerns  in  this  area. 

Congressman  Leach,  we  are  pleased  with  your  decision  to  recognize  that  an  unintended 
consequence  of  GLBA  is  the  fact  that  a  consumer's  sensitive  health  information  can  be 
shared  freely  without  distinction  from  other  sorts  of  financial  information.  Although  we 
do  not  believe  the  intent  of  Congress  last  year  was  to  include  health  information  in  the 
final  version  of  GLBA,  the  implementing  regulations  have  changed  the  landscape 
because  "financial  information"  is  defined  to  include  health  information. 

As  we  all  know,  limited  privacy  protections  of  financial  information  are  included  in 
GLBA's  Title  V.  But  with  all  due  respect,  these  protections  fail  in  the  health  area 
because  the  law  does  not  provide  more  stringent  protection  for  health  information. 

While  this  "opt-out"  standard  may  be  adequate  in  providing  privacy  protections  for 
banking  and  financial  information  (in  the  true  sense  of  the  word),  this  standard  is  not 
adequate  for  personal  health  information. 

So  what  kinds  of  information  could  be  at  risk? 

While  we  were  developing  the  health  privacy  model,  we  heard  horrible  stories  of  how 
sensitive  personal  health  information  was  disseminated  without  the  individual's 
knowledge  or  consent.  For  example,  a  man  made  a  claim  against  his  insurance  company 
for  reimbursement  of  the  costs  of  a  drug  prescribed  for  a  certain  medical  condition. 
Within  days,  his  doctor  was  besieged  by  calls  from  pharmaceutical  companies  trying  to 
convince  the  doctor  to  change  the  patient's  medication  to  a  drug  produced  by  that 


90 


particular  company.  This  type  of  disclosure  would  be  prohibited  under  your  bill  and  our 
model  without  the  affirmative  consent  of  the  consumer. 

For  these  reasons,  we  think  Congress  needs  to  revisit  the  GLBA  provisions  and  provide 
comprehensive  privacy  standards  across-the-board  regarding  financial  institutions  and 
individually  identifiable  health  information. 

We  think  H.R.  4585  is  a  good  step  in  the  right  direction  to  accomplish  this  goal. 
Specifically,  we  agree  with  your  approach,  Mr.  Chairman,  in  several  key  areas: 

•  health  information  should  be  treated  separately  from,  and  differently  than, 
financial  information; 

•  individually  identifiable  health  information  should  be  afforded  more  protection 
than  financial  information; 

•  an  "opt-in"  standard  should  be  implemented  for  individually  identifiable  health 
information  due  to  the  sensitive  nature  of  the  information;  and 

•  the  standard  should  be  the  same  for  all  individually  identifiable  health  information 
and  should  not  be  based  on  the  type  of  financial  institution  that  holds  the 
information. 

These  aspects  of  your  bill  mirror  standing  NAIC  policy,  and  we  applaud  your  efforts  in 
amending  GLBA  to  include  these  important  protections  that  are  conspicuously  missing 
now.  We  believe  the  best  approach  on  the  issue  of  health  information  privacy  would  be  to 
set  a  federal  standard  that  does  not  preempt  stronger  state  laws  that  have  been  protecting 
health  information  for  so  many  years.  This  approach  is  consistent  with  the  GLBA 
standard  -  state  laws  are  preempted  only  if  they  are  "inconsistent  with"  GLBA  and 
stronger  state  laws  are  not  inconsistent. 

HI.        NAIC  Activitv 

A.         NAIC  Model  Legislation 
Members  of  the  NAIC  have  been  discussing  and  addressing  the  privacy  of  personal 
information,  including  health  information,  for  more  than  20  years.     In  1980  we  adopted 


91 


the  Insurance  Information  and  Privacy  Protection  Model  Act  (Attachment  A).  This 
model  applies  to  all  insurance  information  and  generally  requires  insurers  to  receive 
authorization  from  individuals  ("opt-in")  to  disclose  personal  information.  Health 
information  is  specifically  included  as  part  of  this  model. 

More  recently,  in  September  1998,  the  NAIC  continued  its  efforts  to  strengthen 
protections  for  personal  information  by  adopting  a  new  model  solely  focused  on  the 
issues  specific  to  health  information,  the  Health  Information  Privacy  Model  Act 
(Attachment  B).  This  model  was  developed  following  an  extensive  dialogue,  over  four 
years,  with  all  stakeholders,  including  representatives  of  the  insurance  and  managed  care 
industries,  and  representatives  from  the  provider  and  consumer  communities. 

Our  model  applies  to  all  insurance  carriers  and  was  developed  to  assist  the  states  in 
drafting  uniform  standards  for  ensuring  the  privacy  of  health  information.^  Similar  to  our 
more  general  1980  insurance  privacy  model,  this  health  information  privacy  model 
generally  requires  an  entity  to  obtain  an  authorization  ("opt-in")  from  the  individual  to 
collect,  use  or  disclose  protected  health  information.  However,  this  new  model  treats 
personal  health  information  as  a  different  type  of  information  that  should  receive  a  higher 
level  of  privacy  protection.  It  balances  the  business  needs  of  insurers  against  the 
legitimate  privacy  concerns  of  consumers. 


^  With  respect  to  insurers,  we  recommend  the  approach  of  H.R.  4585  and  of  the  NAIC  model,  which 
applies  to  all  insurance  carriers  and  is  not  limited  to  health  and  life  insurers.  The  NAIC  had  an  extensive 
public  discussion  about  whether  the  NAIC  model  should  apply  only  to  health  insurance  carriers,  or  instead, 
to  all  carriers.  Health  and  life  insurance  carriers  are  not  the  only  types  of  carriers  that  use  health 
information  to  transact  their  business.  Health  information  is  often  essential  to  property  and  casualty 
insurers  in  settling  workers'  compensation  claims  and  automobile  claims  involving  personal  injury,  for 
example.  Reinsurers  also  use  protected  health  information  to  write  reinsurance.  The  NAIC  concluded  that 
it  was  illogical  to  apply  one  set  of  rules  to  health  insurance  carriers  but  different  rules,  or  no  rules,  to  other 
carriers  that  were  using  the  same  type  of  information.  Consumers  deserve  the  same  protection  with  respect 
to  their  health  information,  regardless  of  the  entity  using  it.  Nor  is  it  equitable  to  subject  life  and  health 
insurance  carriers  to  more  smngent  rules  than  those  applied  to  other  insurers.  Our  model  applies  to  all 
insurance  carriers  and  establishes  uniform  rules  to  the  greatest  extent  possible.  The  NAIC  model  requires 
carriers  to  establish  procedures  for  the  treatment  of  all  health  information,  and  then  establishes  additional 
rules  for  protected  health  information  (individually  identifiable  health  information  in  H.R.  4585). 


92 


We  note  that  your  bill  would  codify  these  important  principles  of  our  new  model.  We 
also  note  that  our  model  could  serve  as  a  basis  for  developing  regulations  under  your  bill. 
Although  our  model  is  particular  to  the  insurance  business,  it  is  important  to  remember 
that  insurers  are  the  primary  financial  institutions  in  possession  of  individually 
identifiable  health  information.  Any  regulations  drafted  under  your  bill  should  keep  this 
fact  in  mind. 

B.         NAIC's  Draft  GLBA  Regulations 

As  members  of  this  Committee  know,  the  GLBA  directs  Federal  and  State  regulators  to 
establish  comprehensive  standards  for  ensuring  the  security  and  confidentiality  of 
consumers'  personal  information  maintained  by  financial  institutions,  and  to  protect 
against  unauthorized  access  to  or  use  of  such  information.  Moreover,  Section  507 
authorizes  -  some  would  say  encourages  -  States  to  enact  laws  that  give  consumers 
greater  privacy  protections  than  the  provisions  of  GLBA. 

As  functional  regulators  of  the  business  of  insurance,  the  states  are  working  through  the 
NAIC  to  promulgate  a  model  privacy  regulation  for  the  business  of  insurance.  We  are 
doing  so  in  a  manner  that  is  as  consistent  as  possible  with  the  federal  regulations  while 
capturing  the  unique  business  and  consumer  aspects  of  insurance.  As  one  of  the  NAIC's 
nine  commissioner-level  working  groups,  the  Privacy  Issues  Working  Group,  which  I 
chair  along  with  my  vice-chair  Commissioner  Pomeroy,  has  been  meeting  since  February 
to  develop  a  draft  regulation  although  our  work  began  in  earnest  once  the  federal 
regulations  were  finalized. 

We  met  this  past  weekend  during  our  Summer  National  Meeting  to  discuss  a  working 
draft  of  proposed  NAIC  interim  consumer  privacy  regulations  which  are  intended  to 
serve  as  guide  for  states  to  satisfy  Title  V  of  GLBA.  The  purpose  of  these  interim 
regulations  is  to  help  state  insurance  authorities  comply  with  the  minimum  requirements 
of  GLBA  quickly  and  therefore  give  to  the  industry  the  guidance  it  needs  in  this  area, 
while  ensuring  essential  consumer  protections. 


93 


The  draft  is  based  upon  the  final  Federal  privacy  regulations  with  regard  to  consumer 
financial  information.  Because  of  the  differences  between  insurance  activities  and 
banking  activities,  we  have  made  several  changes  that  strengthen  the  privacy  protections 
for  individuals  as  they  relate  to  insurance,  notably  with  respect  to  health  issues. 

Insurance  providers  typically  collect  much  greater  amounts  of  health  information  than 
banks.  We  have  also  decided  to  treat  health  information  differently  than  financial 
information  and  have  drafted  enhanced  protections.  This  is  in  accordance  with  our 
previously  adopted  policy  standards  (as  evidenced  by  existing  model  laws).  As  a  result, 
our  draft  regulations  make  clear  that  "financial  information"  does  not  include  "health 
information".  Having  made  that  distinction,  we  apply  different  rules  for  financial 
information  and  for  health  information.  For  financial  information,  we  have  closely 
tracked  the  language  in  GLBA  in  drafting  regulations  for  insurers  and  their  treatment  of 
financial  information. 

For  health  information,  we  create  an  "opt-in"  standard  to  be  added  to  the  Federal  rules  to 
address  the  special  privacy  issues  with  health  information.  We  then  address  specific 
exceptions  to  the  general  rule  to  allow  insurers  to  carry  on  their  day-to-day  business 
operations  without  undue  restrictions.  Our  intent  is  to  specifically  treat  personal  health 
information  as  a  different  type  of  information  that  receives  a  higher  level  of  privacy 
protection,  as  required  by  the  our  model. 

At  our  recent  Summer  National  Meeting,  the  working  group  discussed  the  "opt-in" 
standard  for  health  information.  Most  insurance  industry  representatives  voiced  support 
for  this  standard. 

We  have  an  accelerated  timetable  for  finalizing  this  regulation,  and  we  anticipate  a  final 
work  product  by  September  2000  so  states  may  implement  it  by  regulation  or  introduce  it 
as  legislation,  if  necessary,  in  the  next  legislative  session. 


65-149    2001-4 


94 


IV.        Comparison  of  H.R.  4585  and  the  NAIC  Health  Information  Privacy  Model 

H.R.  4585,  which  builds  upon  the  privacy  protections  for  financial  information  in  GLBA 
by  adding  protections  for  individually  identifiably  health  information,  is  similar  in  several 
aspects  to  the  NAIC  Health  Information  Privacy  Model.  Similarities  include: 

•  Treating  health  information  privacy  separately  from,  and  differently  than, 
financial  information. 

•  Affording  individually  identifiable  health  information  more  protection  than 
financial  information. 

•  Prohibiting  disclosure  of  individually  identifiable  health  information  without 
affirmative  consent  ("opt-in")  from  the  individual. 

•  Giving  individuals  the  right  to  access  and  amend  individually  identifiable  health 
information  that  is  collected  by  a  financial  institution. 

•  Placing  strict  limitations  on  the  re-disclosure  and  re-use  of  individually 
identifiable  health  information  legitimately  obtained  by  a  financial  institution. 

•  Establishing  a  list  of  exceptions  for  certain  activities  that  do  not  need 
authorization  from  the  individual.  Although  the  exceptions  in  H.R.  4585  and  the 
NAIC  Model  do  not  exactly  correlate  (GLBA  exceptions  geared  toward  banking 
business  and  NAIC  Model  exceptions  geared  toward  insurance  business),  each  set 
of  exceptions  recognizes  the  needs  of  financial  institutions  to  use  and  disclose 
individually  identifiably  health  information  for  legitimate  business  purposes. 

While  the  NAIC  model  is  more  detailed  than  H.R.  4585  in  the  insurance  context,  the 
model  is  consistent  with  the  GLBA  standard  that  state  laws  are  preempted  only  if  they  are 
"inconsistent  with"  GLBA.  State  laws  are  not  inconsistent  with  GLBA  if  the  protections 
they  afford  are  greater  than  GLBA  protections.  For  our  draft  regulations,  we  have  tried 
to  track  the  concepts  in  GLBA  for  financial  information  while  enhancing  protections 
based  on  our  model  for  individually  identifiable  health  information. 


95 


V.         Conclusion 

We  believe  a  national  standard  for  the  privacy  of  personal  information  is  critical  for  both 
consumers  and  financial  institutions.  We  also  believe  strongly  that  health  information 
needs  enhanced  protections,  and  consumers  should  be  assured  that  their  personal  health 
information  will  not  be  shared,  sold  or  released  without  their  specific  consent. 

We  will  continue  to  develop  a  uniform  model  regulation  to  meet  the  GLBA  privacy 
mandate  for  insurance  activities.  Once  our  model  is  completed,  the  regulation  must  be 
adopted  in  each  state  or  legislation  must  be  enacted.  Congressional  action  that  could 
protect  health  privacy  across  the  country  could  expedite  this  process  and  assure 
consumers  that  their  personal  health  information  will  be  protected  regardless  of  where 
they  live  or  which  financial  entity  collects  the  information. 

In  light  of  the  need  to  protect  individually  identifiable  health  information  under  the 
standards  established  in  GLBA,  we  are  glad  you  are  addressing  this  issue.  We  appreciate 
your  efforts,  and  in  general  we  agree  with  the  approach  taken  in  H.R.  4585.  We 
encourage  you  to  please  take  this  opportunity  to  address  comprehensive  privacy 
standards  across  the  board  for  health  information.  The  members  of  the  NAIC  would  be 
happy  to  work  with  the  Members  of  Congress  in  this  area  and  willing  to  discuss  and 
resolve  any  technical  issues  with  Congressional  staff.  Thank  you. 


96 


Section  6.        Content  of  Disclosure  Authorization  Forms 

Notwithstanding  any  other  provision  of  law  of  this  State,  no  insurance  institution,  agent  or 
insurance  support  organization  may  utihze  as  its  disclosure  authorization  form  in  connection  with 
insurance  transactions  a  form  or  statement  which  authorizes  the  disclosure  of  personal  or 
privileged  information  about  an  individual  to  the  insurance  institution,  agent  or  insurance  support 
organization  unless  the  form  or  statement: 

A.  Is  written  in  plain  language; 

B.  Is  dated; 

C.  Specifies  the  types  of  persons  authorized  to  disclose  information  about  the 
individual; 

D.  Specifies  the  nature  of  the  information  authorized  to  be  disclosed; 

E.  Names  the  insurance  institution  or  agent  and  identifies  by  generic  reference 
representatives  of  the  insurance  institution  to  whom  the  individual  is  authorizing 
information  to  be  disclosed; 

F.  Specifies  the  purposes  for  which  the  information  is  collected; 

G.  Specifies  the  length  of  time  such  authorization  shall  remain  valid,  which  shall  be  no 
longer  than: 

(1)  In  the  case  of  authorizations  signed  for  the  purpose  of  collecting  information 
in  connection  with  an  application  for  an  insurance  policy,  a  policy 
reinstatement  or  a  request  for  change  in  policy  benefits: 

(a)  Thirty  (30)  months  from  the  date  the  authorization  is  signed  if  the 
application  or  request  involves  life,  health  or  disability  insurance; 

(b)  One  ( 1 )  year  from  the  date  the  authorization  is  signed  if  the  application  or 
request  involves  property  or  casualty  insurance; 

(2)  In  the  case  of  authorizations  signed  for  the  purpose  of  collecting  information 
in  connection  with  a  claim  for  benefits  under  an  insurance  policy, 

(a)  The  term  of  coverage  of  the  policy  if  the  claim  is  for  a  health  insurance 
benefit; 

(b)  The  duration  of  the  claim  if  the  claim  is  not  for  a  health  insurance 
benefit;  and 


97 


H.  Advises  the  individual  or  a  person  authorized  to  act  on  behalf  of  the  individual  that 
the  individual  or  the  individual's  authorized  representative  is  entitled  to  receive  a 
copy  of  the  authorization  form. 

Drafting  Note:  The  standard  established  by  this  section  for  disclosure  authorization  forms  is 
intended  to  supersede  any  existing  requirements  a  state  may  have  adopted  even  if  such 
requirements  are  more  specific  or  applicable  to  particular  authorizations  such  as  medical 
information  authorizations.  This  section  is  intended  to  be  the  exclusive  statutory  standard  for  all 
authorization  forms  utilized  by  insurance  institutions,  agents  or  insurance  support  organizations. 
This  section  does  not  preclude  the  inclusion  of  a  disclosure  authorization  in  an  application  form 
nor  invalidate  any  disclosure  authorizations  in  effect  prior  to  the  effective  date  of  this  Act.  Nor 
does  this  section  preclude  an  insurance  institution,  agent  or  insurance  support  organization  from 
obtaining,  in  addition  to  its  own  authorization  form  which  complies  with  this  section,  an 
additional  authorization  form  required  by  the  person  from  whom  disclosure  is  sought. 

Section  7.        Investigative  Consumer  Reports 

A.  No  insurance  institution,  agent  or  insurance  support  organization  may  prepare  or 
request  an  investigative  consumer  report  about  an  individual  in  connection  with  an 
insurance  transaction  involving  an  application  for  insurance,  a  policy  renewal,  a 
policy  reinstatement  or  a  change  in  insurance  benefits  unless  the  insurance 
institution  or  agent  informs  the  individual: 

(1)  That  he  or  she  may  request  to  be  interviewed   in  connection  with  the 
preparation  of  the  investigative  consumer  report;  and 

(2)  That  upon  a  request  pursuant  to  Section  8,  he  or  she  is  entitled  to  receive  a 
copy  of  the  investigative  consumer  report. 

B.  If  an  investigative  consumer  report  is  to  be  prepared  by  an  insurance  institution  or 
agent,  the  insurance  institution  or  agent  shall  institute  reasonable  procedures  to 
conduct  a  personal  interview  requested  by  an  individual. 

C.  If  an  investigative  consumer  report  is  to  be  prepared  by  an  insurance  support 
organization,  the  insurance  institution  or  agent  desiring  such  report  shall  inform  the 
insurance  support  organization  whether  a  personal  interview  has  been  requested  by 
the  individual.  The  insurance  support  organization  shall  institute  reasonable 
procedures  to  conduct  such  interviews,  if  requested. 

Section  8.        Access  to  Recorded  Personal  Information 


A.  If  any  individual,  after  proper  identification,  submits  a  written  request  to  an 
insurance  institution,  agent  or  insurance  support  organization  for  access  to  recorded 
personal  information  about  the  individual  which  is  reasonably  described  by  the 


98 


individual  and  reasonably  locatable  and  retrievable  by  the  insurance  institution, 
agent  or  insurance  support  organization,  the  insurance  institution,  agent  or  insurance 
support  organization  shall  within  thirty  (30)  business  days  from  the  date  such  request 
is  received: 

( 1 )  Infonti  the  individual  of  the  nature  and  substance  of  such  recorded  personal 
information  in  writing,  by  telephone  or  by  other  oral  communication, 
whichever  the  insurance  institution,  agent  or  insurance  support  organization 
prefers; 

(2)  Permit  the  individual  to  see  and  copy,  in  person,  such  recorded  personal 
information  pertaining  to  him  or  her  or  to  obtain  a  copy  of  such  recorded 
personal  information  by  mail,  whichever  the  individual  prefers,  unless  such 
recorded  personal  information  is  in  coded  form,  in  which  case  an  accurate 
translation  in  plain  language  shall  be  provided  in  writing; 

(3)  Disclose  to  the  individual  the  identity,  if  recorded,  of  those  persons  to  whom 
the  insurance  institution,  agent  or  insurance  support  organization  has  disclosed 
such  personal  information  within  two  (2)  years  prior  to  such  request,  and  if  the 
identity  is  not  recorded,  the  names  of  those  insurance  institutions,  agents, 
insurance  support  organizations  or  other  persons  to  whom  such  information  is 
normally  disclosed;  and 

(4)  Provide  the  individual  with  a  summary  of  the  procedures  by  which  he  or  she 
may  request  correction,  amendment  or  deletion  of  recorded  personal 
information. 

B.  Any  personal  information  provided  pursuant  to  Subsection  A  above  shall  identify  the 
source  of  the  information  if  such  source  is  an  institutional  source. 

C.  Medical-record  information  supplied  by  a  medical  care  institution  or  medical 
professional  and  requested  under  Subsection  A,  together  with  the  identity  of  the 
medical  professional  or  medical  care  institution  which  provided  such  information, 
shall  be  supplied  either  directly  to  the  individual  or  to  a  medical  professional 
designated  by  the  individual  and  licensed  to  provide  medical  care  with  respect  to  the 
condition  to  which  the  information  relates,  whichever  the  insurance  institution,  agent 
or  insurance  support  organization  prefers.  If  it  elects  to  disclose  the  information  to  a 
medical  professional  designated  by  the  individual,  the  insurance  institution,  agent  or 
insurance  support  organization  shall  notify  the  individual,  at  the  time  of  the 
disclosure,  that  it  has  provided  the  information  to  the  medical  professional. 

D.  Except  for  personal  information  provided  under  Section  10,  an  insurance  institution, 
agent  or  insurance  support  organization  may  charge  a  reasonable  fee  to  cover  the 
costs  incurred  in  providing  a  copy  of  recorded  personal  information  to  individuals. 


99 


E.  The  obligations  imposed  by  this  section  upon  an  insurance  institution  or  agent  may 
be  satisfied  by  another  insurance  institution  or  agent  authorized  to  act  on  its  behalf. 
With  respect  to  the  copying  and  disclosure  of  recorded  personal  information 
pursuant  to  a  request  under  Subsection  A,  an  insurance  institution,  agent  or 
insurance  support  organization  may  make  arrangements  with  an  insurance  support 
organization  or  a  consumer  reporting  agency  to  copy  and  disclose  recorded  personal 
information  on  its  behalf. 

F.  The  rights  granted  to  individuals  in  this  section  shall  extend  to  all  natural  persons  to 
the  extent  information  about  them  is  collected  and  maintained  by  an  insurance 
institution,  agent  or  insurance  support  organization  in  connection  with  an  insurance 
transaction.  The  rights  granted  to  all  natural  persons  by  this  subsection  shall  not 
extend  to  information  about  them  that  relates  to  and  is  collected  in  connection  with 
or  in  reasonable  anticipation  of  a  claim  or  civil  or  criminal  proceeding  involving 
them. 

G.  For  purposes  of  this  section,  the  term  "insurance  support  organization"  does  not 
include  "consumer  reporting  agency"  except  to  the  extent  this  section  imposes  more 
stringent  requirements  on  a  consumer  reporting  agency  than  other  state  or  federal 
law. 

Section  9.        Correction,  Amendment  or  Deletion  of  Recorded  Personal  Information 

A.  Within  thirty  (30)  business  days  from  the  date  of  receipt  of  a  written  request  from  an 
individual  to  correct,  amend  or  delete  any  recorded  personal  information  about  the 
individual  within  its  possession,  an  insurance  institution,  agent  or  insurance  support 
organization  shall  either: 

(1)  Correct,  amend  or  delete  the  portion  of  the  recorded  personal  information  in 
dispute;  or 

(2)  Notify  the  individual  of: 

(a)  Its  refusal  to  make  such  correction,  amendment  or  deletion; 

(b)  The  reasons  for  the  refusal,  and 

(c)  The  individual's  right  to  file  a  statement  as  provided  in  Subsection  C. 

B.  If  the  insurance  institution,  agent  or  insurance  support  organization  corrects,  amends 
or  deletes  recorded  personal  information  in  accordance  with  Subsection  A(  1 )  above, 
the  insurance  institution,  agent  or  insurance  support  organization  shall  so  notify  the 
individual  in  writing  and  furnish  the  correction,  amendment  or  fact  of  deletion  to: 


100 


(1)  Any  person  specifically  designated  by  the  individual  who  may  have,  within  the 
preceding  two  (2)  years,  received  such  recorded  personal  information; 

(2)  Any  insurance  support  organization  whose  primary  source  of  personal 
information  is  insurance  institutions  if  the  insurance  support  organization  has 
systematically  received  such  recorded  personal  information  from  the  insurance 
institution  within  the  preceding  seven  (7)  years;  provided,  however,  that  the 
correction,  amendment  or  fact  of  deletion  need  not  be  furnished  if  the 
insurance  support  organization  no  longer  maintains  recorded  personal 
information  about  the  individual;  and 

(3)  Any  insurance  support  organization  that  furnished  the  personal  information 
that  has  been  corrected,  amended  or  deleted. 

C.  Whenever  an  individual  disagrees  with  an  insurance  institution's,  agent's  or 
insurance  support  organization's  refusal  to  correct,  amend  or  delete  recorded 
personal  information,  the  individual  shall  be  permitted  to  file  with  the  insurance 
institution,  agent  or  insurance  support  organization: 

(1)  A  concise  statement  setting  forth  what  the  individual  thinks  is  the  correct, 
relevant  or  fair  information;  and 

(2)  A  concise  statement  of  the  reasons  why  the  individual  disagrees  with  the 
insurance  institution's,  agent's  or  insurance  support  organization's  refusal  to 
correct,  amend  or  delete  recorded  personal  information. 

D.  In  the  event  an  individual  files  either  statement  as  described  in  Subsection  C  above, 
the  insurance  institution,  agent  or  insurance  support  organizations  shall: 

(1)  File  the  statement  with  the  disputed  personal  information  and  provide  a  means 
by  which  anyone  reviewing  the  disputed  personal  information  will  be  made 
aware  of  the  individual's  statement  and  have  access  to  it;  and 

(2)  In  any  subsequent  disclosure  by  the  insurance  institution,  agent  or  support 
organization  of  the  recorded  personal  information  that  is  the  subject  of 
disagreement,  clearly  identify  the  matter  or  matters  in  dispute  and  provide  the 
individual's  statement  along  with  the  recorded  personal  information  being 
disclosed;  and 

(3)  Furnish  the  statement  to  the  persons  and  in  the  manner  specified  in  Subsection 
B  above. 

E.  The  rights  granted  to  individuals  in  this  section  shall  extend  to  all  natural  persons  to 
the  extent  information  about  them  is  collected  and  maintained  by  an  insurance 
institution,  agent  or  insurance  support  organization  in  connection  with  an  insurance 


101 


transaction.  The  rights  granted  to  all  natural  persons  by  this  subsection  shall  not 
extend  to  information  about  them  that  relates  to  and  is  collected  in  connection  with 
or  in  reasonable  anticipation  of  a  claim  or  civil  or  criminal  proceeding  involving 
them. 

F.  For  purposes  of  this  section,  the  term  "insurance  support  organization"  does  not 
include  "consumer  reporting  agency"  except  to  the  extent  that  this  section  imposes 
more  stringent  requirements  on  a  consumer  reporting  agency  than  other  state  or 
federal  law. 

Section  10.      Reasons  for  Adverse  Underwriting  Decisions 

A.  In  the  event  of  an  adverse  underwriting  decision  the  insurance  institution  or  agent 
responsible  for  the  decision  shall: 

(1)  Either  provide  the  applicant,  policyholder  or  individual  proposed  for  coverage 
with  the  specific  reason  or  reasons  for  the  adverse  underwriting  decision  in 
writing  or  advise  such  person  that  upon  written  request  he  or  she  may  receive 
the  specific  reason  or  reasons  in  writing;  and 

(2)  Provide  the  applicant,  policyholder  or  individual  proposed  for  coverage  with  a 
summary  of  the  rights  established  under  Subsection  B  and  Sections  8  and  9  of 
this  Act. 

B.  Upon  receipt  of  a  written  request  within  ninety  (90)  business  days  from  the  date  of 
the  mailing  of  notice  or  other  communication  of  an  adverse  underwriting  decision  to 
an  applicant,  policyholder  or  individual  proposed  for  coverage,  the  insurance 
institution  or  agent  shall  furnish  to  such  person  within  twenty-one  (21)  business  days 
from  the  date  of  receipt  of  such  written  request: 

(1)  The  specific  reason  or  reasons  for  the  adverse  underwriting  decision,  in 
writing,  if  such  information  was  not  initially  furnished  in  writing  pursuant  to 
Subsection  A(l); 

(2)  The  specific  items  of  personal  and  privileged  information  that  support  those 
reasons;  provided,  however: 

(a)  The  insurance  institution  or  agent  shall  not  be  required  to  furnish  specific 
items  of  privileged  information  if  it  has  a  reasonable  suspicion,  based 
upon  specific  information  available  for  review  by  the  Commissioner,  that 
the  applicant,  policyholder  or  individual  proposed  for  coverage  has 
engaged  in  criminal  activity,  fraud,  material  misrepresentation  or  material 
nondisclosure,  and 


102 


(b)  Specific  items  of  medical-record  information  supplied  by  a  medical  care 
institution  or  medical  professional  shall  be  disclosed  either  directly  to  the 
individual  about  whom  the  information  relates  or  to  a  medical 
professional  designated  by  the  individual  and  licensed  to  provide  medical 
care  with  respect  to  the  condition  to  which  the  information  relates, 
whichever  the  insurance  institution  or  agent  prefers,  and 

Drafting  Note:  The  exception  in  Section  10B(2)(a)  to  the  obligation  of  an  insurance  institution 
or  agent  to  furnish  the  specific  items  of  personal  and  privileged  information  that  support  the 
reasons  for  an  adverse  underwriting  decision  extends  only  to  information  about  criminal  activity, 
fraud,  material  misrepresentation  or  material  nondisclosure  that  is  privileged  information  and  not 
to  all  information. 

(3)  The  names  and  addresses  of  the  institutional  sources  that  supplied  the  specific 
items  of  information  pursuant  to  Subsection  B(2);  provided,  however,  that  the 
identity  of  any  medical  professional  or  medical  care  institution  shall  be 
disclosed  either  directly  to  the  individual  or  to  the  designated  medical 
professional,  whichever  the  insurance  institution  or  agent  prefers. 

C.  The  obligations  imposed  by  this  section  upon  an  insurance  institution  or  agent  may 
be  satisfied  by  another  insurance  institution  or  agent  authorized  to  act  on  its  behalf. 

D.  When  an  adverse  underwriting  decision  results  solely  from  an  oral  request  or 
inquiry,  the  explanation  of  reasons  and  summary  of  rights  required  by  Subsection  A 
may  be  given  orally. 

Section  11.      Information  Concerning  Previous  Adverse  Underwriting  Decisions 

No  insurance  institution,  agent  or  insurance  support  organization  may  seek  information  in 
connection  with  an  insurance  transaction  concerning: 

A.  Any  previous  adverse  underwriting  decision  experienced  by  an  individual;  or 

B.  Any  previous  insurance  coverage  obtained  by  an  individual  through  a  residual 
market  mechanism, 

unless  such  inquiry  also  requests  the  reasons  for  any  previous  adverse  underwriting  decision  or 
the  reasons  why  insurance  coverage  was  previously  obtained  through  a  residual  market 
mechanism. 

Section  12.      Previous  Adverse  Underwriting  Decisions 

No  insurance  institution  or  agent  may  base  an  adverse  underwriting  decision  in  whole  or  in  part: 


103 


A.  On  the  fact  of  a  previous  adverse  underwriting  decision  or  on  the  fact  that  an 
individual  previously  obtained  insurance  coverage  through  a  residual  market 
mechanism;  provided,  however,  an  insurance  institution  or  agent  may  base  an 
adverse  underwriting  decision  on  further  information  obtained  from  an  insurance 
institution  or  agent  responsible  for  a  previous  adverse  underwriting  decision; 

B.  On  personal  information  received  from  an  insurance  support  organization  whose 
primary  source  of  information  is  insurance  institutions;  provided,  however,  an 
insurance  institution  or  agent  may  base  an  adverse  underwriting  decision  on  further 
personal  information  obtained  as  a  result  of  information  received  from  such 
insurance  support  organization. 

Section  13.      Disclosure  Limitations  and  Conditions 

An  insurance  institution,  agent  or  insurance  support  organization  shall  not  disclose  any  personal 
or  privileged  information  about  an  individual  collected  or  received  in  connection  with  an 
insurance  transaction  unless  the  disclosure  is: 

A.  With  the  written  authorization  of  the  individual,  provided: 

(1)  If  such  authorization  is  submitted  by  another  insurance  institution,  agent  or 
insurance  support  organization,  the  authorization  meets  the  requirements  of 
Section  6  of  this  Act;  or 

(2)  If  such  authorization  is  submitted  by  a  person  other  than  an  insurance 
institution,  agent  or  insurance  support  organization,  the  authorization  is: 

(a)  Dated; 

(b)  Signed  by  the  individual;  and 

(c)  Obtained  one  (1)  year  or  less  prior  to  the  date  a  disclosure  is  sought 
pursuant  to  this  subsection;  or 

B.  To  a  person  other  than  an  insurance  institution,  agent  or  insurance  support 
organization,  provided  such  disclosure  is  reasonably  necessary: 

(1)  To  enable  such  person  to  perform  a  business,  professional  or  insurance 
function  for  the  disclosing  insurance  institution,  agent  or  insurance  support 
organization  and  such  person  agrees  not  to  disclose  the  information  further 
without  the  individual's  written  authorization  unless  the  further  disclosure: 

(a)    Would  otherwise  be  permitted  by  this  section  if  made  by  an  insurance 
institution,  agent  or  insurance  support  organization;  or 


104 


(b)  Is  reasonably  necessary  for  such  person  to  perform  its  function  for  the 
disclosing  insurance  institution,  agent  or  insurance  support  organization; 
or 

(2)  To  enable  such  person  to  provide  information  to  the  disclosing  insurance 
institution,  agent  or  insurance  support  organization  for  the  purpose  of: 

(a)  Determining  an  individual's  eligibility  for  an  insurance  benefit  or 
payment;  or 

(b)  Detecting  or  preventing  criminal  activity,  fraud,  material 
misrepresentation  or  material  nondisclosure  in  connection  with  an 
insurance  transaction;  or 

C.  To  an  insurance  institution,  agent,  insurance  support  organization,  or  self-insurer, 
provided  the  information  disclosed  is  limited  to  that  which  is  reasonably  necessary: 

(1)  To  detect  or  prevent  criminal  activity,  fraud,  material  misrepresentation  or 
material  nondisclosure  in  connection  with  insurance  transactions;  or 

(2)  For  either  the  disclosing  or  receiving  insurance  institution,  agent  or  insurance 
support  organization  to  perform  its  function  in  connection  with  an  insurance 
transaction  involving  the  individual;  or 

D.  To  a  medical  care  institution  or  medical  professional  for  the  purpose  of: 

( 1 )  Verifying  insurance  coverage  or  benefits; 

(2)  Informing  an  individual  of  a  medical  problem  of  which  the  individual  may  not 
be  aware;  or 

(3)  Conducting  an  operations  or  services  audit  to  verify  the  individuals  treated  by 
the  medical  professional  or  at  the  medical  care  institution; 

provided  only  such  information  is  disclosed  as  is  reasonably  necessary  to  accomplish 
the  foregoing  purposes;  or 

E.  To  an  insurance  regulatory  authority;  or 

F.  To  a  law  enforcement  or  other  governmental  authority: 

(1)  To  protect  the  interests  of  the  insurance  institution,  agent  or  insurance  support 
organization  in  preventing  or  prosecuting  the  perpetration  of  fraud  upon  it;  or 


105 


(2)  If  the  insurance  institution,  agent  or  insurance  support  organization  reasonably 
believes  that  illegal  activities  have  been  conducted  by  the  individual;  or 

G.       Otherwise  permitted  or  required  by  law;  or 

H.  In  response  to  a  facially  valid  administrative  or  judicial  order,  including  a  search 
warrant  or  subpoena;  or 

I.        Made  for  the  purpose  of  conducting  actuarial  or  research  studies,  provided: 

( 1 )  No  individual  may  be  identified  in  any  actuarial  or  research  report; 

(2)  Materials  allowing  the  individual  to  be  identified  are  returned  or  destroyed  as 
soon  as  they  are  no  longer  needed;  and 

(3)  The  actuarial  or  research  organization  agrees  not  lo  disclose  the  information 
unless  the  disclosure  would  otherwise  be  permitted  by  this  section  if  made  by 
an  insurance  institution,  agent  or  insurance  support  organization;  or 

J.  To  a  party  or  representative  of  a  party  to  a  proposed  or  consummated  sale,  transfer, 
merger  or  consolidation  of  all  or  part  of  the  business  of  the  insurance  institution, 
agent  or  insurance  support  organization,  provided: 

( 1 )  Prior  to  the  consummation  of  the  sale,  transfer,  merger  or  consolidation  only 
such  information  is  disclosed  as  is  reasonably  necessary  to  enable  the  recipient 
to  make  business  decisions  about  the  purchase,  transfer,  merger  or 
consolidation;  and 

(2)  The  recipient  agrees  not  to  disclose  the  information  unless  the  disclosure 
would  otherwise  be  permitted  by  this  section  if  made  by  an  insurance 
institution,  agent  or  insurance  support  organization;  or 

K.  To  a  person  whose  only  use  of  such  information  will  be  in  connection  with  the 
marketing  of  a  product  or  service,  provided: 

(1)  No  medical  record  information,  privileged  information  or  personal 
information  relating  to  an  individual's  character,  personal  habits,  mode  of 
living  or  general  reputation  is  disclosed,  and  no  classification  derived  from 
such  information  is  disclosed; 

(2)  The  individual  has  been  given  an  opportunity  to  indicate  that  he  or  she  does 
not  want  personal  information  disclosed  for  marketing  purposes  and  has  given 
no  indication  that  he  or  she  does  not  want  the  information  disclosed;  and 


106 


(3)      The   person   receiving   such   information   agrees  not  to  use   it  except   in 
connection  with  the  mariceting  of  a  product  or  service;  or 

L.  To  an  affiliate  whose  only  use  of  the  information  will  be  in  connection  with  an  audit 
of  the  insurance  institution  or  agent  or  the  marketing  of  an  insurance  product  or 
service,  provided  the  affiliate  agrees  not  to  disclose  the  information  for  any  other 
purpose  or  to  unaffiliated  persons;  or 

M.  By  a  consumer  reporting  agency,  provided  the  disclosure  is  to  a  person  other  than  an 
insurance  institution  or  agent;  or 

N.  To  a  group  policyholder  for  the  purpose  of  reporting  claims  experience  or 
conducting  an  audit  of  the  insurance  institution's  or  agent's  operations  or  services, 
provided  the  information  disclosed  is  reasonably  necessary  for  the  group 
policyholder  to  conduct  the  review  or  audit;  or 

O.  To  a  professional  peer  review  organization  for  the  purpose  of  reviewing  the  service 
or  conduct  of  a  medical  care  institution  or  medical  professional;  or 

P.  To  a  governmental  authority  for  the  purpose  of  determining  the  individual's 
eligibility  for  health  benefits  for  which  the  governmental  authority  may  be  liable;  or 

Q.  To  a  certificateholder  or  policyholder  for  the  purpose  of  providing  information 
regarding  the  status  of  an  insurance  transaction;  or 

R.  To  a  lienholder,  mortgagee,  assignee,  lessor  or  other  person  shown  on  the  records  of 
an  insurance  institution  or  agent  as  having  a  legal  or  beneficial  interest  in  a  policy  of 
insurance,  provided  that: 

(1)  No  medical  record  information  is  disclosed  unless  the  disclosure  would 
otherwise  be  permitted  by  this  section;  and 

(2)  The  information  disclosed  is  limited  to  that  which  is  reasonably  necessary  to 
permit  such  person  to  protect  its  interests  in  such  policy. 

Section  14.      Power  of  Conunissioner 

A.  The  Corrmiissioner  shall  have  power  to  examine  and  investigate  into  the  affairs  of 
every  insurance  institution  or  agent  doing  business  in  this  State  to  determine  whether 
the  insurance  institution  or  agent  has  been  or  is  engaged  in  any  conduct  in  violation 
of  this  Act. 

B.  The  Commissioner  shall  have  the  power  to  examine  and  investigate  into  the  affairs 
of  every  insurance  support  organization  acting  on  behalf  of  an  insurance  institution 
or  agent  which  either  transacts  business  in  this  State  or  transacts  business  outside 


107 


this  State  that  has  an  effect  on  a  person  residing  in  this  State  in  order  to  determine 
whether  such  insurance  support  organization  has  been  or  is  engaged  in  any  conduct 
in  violation  of  this  Act. 

Section  15.      Hearings,  Witnesses,  Appearances,  Production  of  Books  and  Service  of 
Process 

A.  Whenever  the  Commissioner  has  reason  to  believe  that  an  insurance  institution, 
agent  or  insurance  support  organization  has  been  or  is  engaged  in  conduct  in  this 
State  which  violates  this  Act,  or  if  the  Commissioner  believes  that  an  insurance 
support  organization  has  been  or  is  engaged  in  conduct  outside  this  State  which  has 
an  effect  on  a  person  residing  in  this  State  and  which  violates  this  Act,  the 
Commissioner  shall  issue  and  serve  upon  such  insurance  institution,  agent  or 
insurance  support  organization  a  statement  of  charges  and  notice  of  hearing  to  be 
held  at  a  time  and  place  fixed  in  the  notice.  The  date  for  such  hearing  shall  be  not 
less  than  [insert  number]  days  after  the  date  of  service. 

B.  At  the  time  and  place  fixed  for  such  hearing  the  insurance  institution,  agent  or 
insurance  support  organization  charged  shall  have  an  opportunity  to  answer  the 
charges  against  it  and  present  evidence  on  its  behalf.  Upon  good  cause  shown,  the 
Commissioner  shall  permit  any  adversely  affected  person  to  intervene,  appear  and  be 
heard  at  such  hearing  by  counsel  or  in  person. 

C.  At  any  hearing  conducted  pursuant  to  this  section  the  Commissioner  may  administer 
oaths,  examine  and  cross-examine  witnesses  and  receive  oral  and  documentary 
evidence.  The  Commissioner  shall  have  the  power  to  subpoena  witnesses,  compel 
their  attendance  and  require  the  production  of  books,  papers,  records, 
correspondence  and  other  documents  which  are  relevant  to  the  hearing.  A 
stenographic  record  of  the  hearing  shall  be  made  upon  the  request  of  any  party  or  at 
the  discretion  of  the  Commissioner.  If  no  stenographic  record  is  made  and  if  judicial 
review  is  sought,  the  Commissioner  shall  prepare  a  statement  of  the  evidence  for  use 
on  the  review.  Hearings  conducted  under  this  section  shall  be  governed  by  the  same 
rules  of  evidence  and  procedure  applicable  to  administrative  proceedings  conducted 
under  the  laws  of  this  State. 

D.  Statements  of  charges,  notices,  orders  and  other  processes  of  the  Commissioner 
under  this  Act  may  be  served  by  anyone  duly  authorized  to  act  on  behalf  of  the 
Commissioner.  Service  of  process  may  be  completed  in  the  manner  provided  by  law 
for  service  of  process  in  civil  actions  or  by  registered  mail.  A  copy  of  the  statement 
of  charges,  notice,  order  or  other  process  shall  be  provided  to  the  person  or  persons 
whose  rights  under  this  Act  have  been  allegedly  violated.  A  verified  return  setting 
forth  the  manner  of  service,  or  return  postcard  receipt  in  the  case  of  registered  mail, 
shall  be  sufficient  proof  of  service. 

Section  16.      Service  of  Process  -  Insurance  Support  Organizations 


108 


For  the  purpose  of  this  Act,  an  insurance  support  organization  transacting  business  outside  this 
State  which  has  an  effect  on  a  person  residing  in  this  State  shall  be  deemed  to  have  appointed  the 
Commissioner  to  accept  service  of  process  on  its  behalf;  provided  the  Commissioner  causes  a 
copy  of  such  service  to  be  mailed  forthwith  by  registered  mail  to  the  insurance  support 
organization  at  its  last  known  principal  place  of  business.  The  return  postcard  receipt  for  such 
mailing  shall  be  sufficient  proof  that  the  same  was  properly  mailed  by  the  Commissioner. 

Section  17.      Cease  and  Desist  Orders  and  Reports 

A.  If,  after  a  hearing  pursuant  to  Section  15,  the  Commissioner  determines  that  the 
insurance  institution,  agent  or  insurance  support  organization  charged  has  engaged  in 
conduct  or  practices  in  violation  of  this  Act,  the  Commissioner  shall  reduce  his  or 
her  findings  to  writing  and  shall  issue  and  cause  to  be  served  upon  such  insurance 
institution,  agent  or  insurance  support  organization  a  copy  of  such  findings  and  an 
order  requiring  such  insurance  institution,  agent  or  insurance  support  organization  to 
cease  and  desist  from  the  conduct  or  practices  constituting  a  violation  of  this  Act. 

B.  If,  after  a  hearing  pursuant  to  Section  15,  the  Commissioner  determines  that  the 
insurance  institution,  agent  or  insurance  support  organization  charged  has  not 
engaged  in  conduct  or  practices  in  violation  of  this  Act,  the  Commissioner  shall 
prepare  a  written  report  which  sets  forth  findings  of  fact  and  conclusions  of  law. 
Such  report  shall  be  served  upon  the  insurance  institution,  agent  or  insurance  support 
organization  charged  and  upon  the  person  or  persons,  if  any,  whose  rights  under  this 
Act  were  allegedly  violated. 

C.  Until  the  expiration  of  the  time  allowed  under  Section  19  of  this  Act  for  filing  a 
petition  for  review  or  until  such  petition  is  actually  filed,  whichever  occurs  first,  the 
Commissioner  may  modify  or  set  aside  any  order  or  report  issued  under  this  section. 
After  the  expiration  of  the  time  allowed  under  Section  19  of  this  Act  for  filing  a 
petition  for  review,  if  no  such  petition  has  been  duly  filed,  the  Commissioner  may, 
after  notice  and  opportunity  for  hearing,  alter,  modify  or  set  aside,  in  whole  or  in 
part,  any  order  or  report  issued  under  this  section  whenever  conditions  of  fact  or  law 
warrant  such  action  or  if  the  public  interest  so  requires. 

Section  18.      Penalties 

A.  In  any  case  where  a  hearing  pursuant  to  Section  15  results  in  the  finding  of  a 
knowing  violation  of  this  Act,  the  Commissioner  may,  in  addition  to  the  issuance  of 
a  cease  and  desist  order  as  prescribed  in  Section  17,  order  payment  of  a  monetary 
penalty  of  not  more  than  [$500]  for  each  violation  but  not  to  exceed  [$10,000]  in  the 
aggregate  for  multiple  violations. 

B.  Any  person  who  violates  a  cease  and  desist  order  of  the  Commissioner  under  Section 
17  of  this  Act  may,  after  notice  and  hearing  and  upon  order  of  the  Commissioner,  be 


109 


subject   to  one  or  more   of  the   following  penalties,   at  the   discretion   of  the 
Commissioner: 

(1)  A  monetary  fine  of  not  more  than  [$10,000]  for  each  violation; 

(2)  A  monetary  fine  of  not  more  than  [$50,000]  if  the  Commissioner  finds  that 
violations  have  occurred  with  such  frequency  as  to  constitute  a  general 
business  practice;  or 

(3)  Suspension  or  revocation  of  an  insurance  institution's  or  agent's  license. 
Section  19.      Judicial  Review  of  Orders  and  Reports 

A.  Any  person  subject  to  an  order  of  the  Commissioner  under  Section  17  or  Section  18 
or  any  person  whose  rights  under  this  Act  were  allegedly  violated  may  obtain  a 
review  of  any  order  or  report  of  the  Commissioner  by  filing  in  the  [insert  title]  Court 
of  [insert  county]  County,  within  [insert  number]  days  from  the  date  of  the  service  of 
such  order  or  report,  a  written  petition  requesting  that  the  order  or  report  of  the 
Commissioner  be  set  aside.  A  copy  of  such  petition  shall  be  simultaneously  served 
upon  the  Commissioner,  who  shall  forthwith  certify  and  file  in  such  court  a 
transcript  of  the  entire  record  of  the  proceeding  giving  rise  to  the  order  or  report 
which  is  the  subject  of  the  petition.  Upon  filing  of  the  petition  and  transcript  the 
[insert  title]  Court  shall  have  jurisdiction  to  make  and  enter  a  decree  modifying, 
affirming  or  reversing  any  order  or  report  of  the  Commissioner,  in  whole  or  in  part. 
The  findings  of  the  Commissioner  as  to  the  facts  supporting  any  order  or  report,  if 
supported  by  clear  and  convincing  evidence,  shall  be  conclusive. 

B.  To  the  extent  an  order  or  report  of  the  Commissioner  is  affirmed,  the  Court  shall 
issue  its  own  order  commanding  obedience  to  the  terms  of  the  order  or  report  of  the 
Commissioner.  If  any  party  affected  by  an  order  or  report  of  the  Commissioner  shall 
apply  to  the  court  for  leave  to  produce  additional  evidence  and  shall  show  to  the 
satisfaction  of  the  court  that  such  additional  evidence  is  material  and  that  there  are 
reasonable  grounds  for  the  failure  to  produce  such  evidence  in  prior  proceedings,  the 
court  may  order  such  additional  evidence  to  be  taken  before  the  Commissioner  in 
such  manner  and  upon  such  terms  and  conditions  as  the  court  may  deem  proper. 
The  Commissioner  may  modify  his  or  her  findings  of  fact  or  make  new  findings  by 
reason  of  the  additional  evidence  so  taken  and  shall  file  such  modified  or  new 
findings  along  with  any  recommendation,  if  any,  for  the  modification  or  revocation 
of  a  previous  order  or  report.  If  supported  by  clear  and  convincing  evidence,  the 
modified  or  new  findings  shall  be  conclusive  as  to  the  matters  contained  therein. 

C.  An  order  or  report  issued  by  the  Commissioner  under  Section  17  or  18  shall  become 
final: 


(1) 


110 


Upon  the  expiration  of  the  time  allowed  for  the  filing  of  a  petition  for  review, 
if  no  such  petition  has  been  duly  filed;  except  that  the  Commissioner  may 
modify  or  set  aside  an  order  or  report  to  the  extent  provided  in  Section  17C;  or 


D. 


(2)  Upon  a  final  decision  of  the  [insert  title]  Court  if  the  court  directs  that  the 
order  or  report  of  the  Commissioner  be  affirmed  or  the  petition  for  review 
dismissed. 

No  order  or  report  of  the  Commissioner  under  this  Act  or  order  of  a  court  to  enforce 
the  same  shall  in  any  way  relieve  or  absolve  any  person  affected  by  such  order  or 
report  from  any  liability  under  any  law  of  this  State. 


Section  20.      Individual  Remedies 

A.  If  any  insurance  institution,  agent  or  insurance  support  organization  fails  to  comply 
with  Section  8,  9  or  10  of  this  Act  with  respect  to  the  rights  granted  under  those 
sections,  any  person  whose  rights  are  violated  may  apply  to  the  [insert  title]  Court  of 
this  State,  or  any  other  court  of  competent  jurisdiction,  for  appropriate  equitable 
relief. 

B.  An  insurance  institution,  agent  or  insurance  support  organization  which  discloses 
information  in  violation  of  Section  13  of  this  Act  shall  be  liable  for  damages 
sustained  by  the  individual  about  whom  the  information  relates;  provided,  however, 
that  no  individual  shall  be  entitled  to  a  monetary  award  which  exceeds  the  actual 
damages  sustained  by  the  individual  as  a  result  of  a  violation  of  Section  13  of  this 
Act. 


D. 


In  any  action  brought  pursuant  to  this  section,  the  court  may  award  the  cost  of  the 
action  and  reasonable  attorney's  fees  to  the  prevailing  party. 

An  action  under  this  section  must  be  brought  within  two  (2)  years  from  the  date  the 
alleged  violation  is  or  should  have  been  discovered. 


E.  Except  as  specifically  provided  in  this  section,  there  shall  be  no  remedy  or  recovery 
available  to  individuals,  in  law  or  in  equity,  for  occurrences  constituting  a  violation 
of  any  provisions  of  this  Act. 

Section  21.      Immunity 

No  cause  of  action  in  the  nature  of  defamation,  invasion  of  privacy  or  negligence  shall  arise 
against  any  person  for  disclosing  personal  or  privileged  information  in  accordance  with  this  Act, 
nor  shall  such  a  cause  of  action  arise  against  any  pjerson  for  furnishing  personal  or  privileged 
information  to  an  insurance  institution,  agent  or  insurance  support  organization;  provided, 
however,  this  section  shall  provide  no  immunity  for  disclosing  or  furnishing  false  information 
with  malice  or  willful  intent  to  injure  any  person. 


Ill 


Section  22.      Obtaining  Information  Under  False  Pretenses 

Any  person  who  knowingly  and  willfully  obtains  information  about  an  individual  from  an 
insurance  institution,  agent  or  insurance  support  organization  under  false  pretenses  shall  be  fined 
not  more  than  [$10,000]  or  imprisoned  for  not  more  than  one  year,  or  both. 

Section  23.      Severability 

If  any  provisions  of  this  Act  or  the  application  thereof  to  any  person  or  circumstance  is  for  any 
reason  held  to  be  invalid,  the  remainder  of  the  Act  and  the  application  of  such  provision  to  other 
persons  or  circumstances  shall  not  be  affected  thereby. 

Section  24.      Effective  Date 

A.  This  Act  shall  take  effect  on  [insert  a  date  which  allows  at  least  a  one  year  interval 
between  the  date  of  enactment  and  the  effective  date]. 

B.  The  rights  granted  under  Sections  8,  9  and  13  of  this  Act  shall  take  effect  on  [insert 
effective  date]  regardless  of  the  date  of  the  collection  or  receipt  of  the  information 
which  is  the  subject  of  such  sections. 


Legislative  History  (all  references  are  to  the  Proceedines  of  the  NAIC). 

1980  Proc.  1 34.  38.  281.  319.  320-335  (adopted). 

1981  Proc.  1 47,  51,  255.  259,  290-313  (revised  and  reprinted). 

1982  Proc.  1 19.  27,  155.  198  (amended). 


112 


Auachmeni  A 


NAIC  INSURANCE  INFORMATION  AND 
PRIVACY  PROTECTION  MODEL  ACT 


Table  of  Contents 


Preamble 


1. 
2. 
3. 

4. 
5. 
6. 

7. 


Section 
Section 
Section 
Section 
Section 
Section 
Section 
Section  8. 
Section  9. 
Section  10. 
Section  1 1. 
Section  12. 
Section  13. 
Section  14. 
Section  15. 
Section  16. 
Section  17. 
Section  18. 
Section  19. 
Section  20. 
Section  21. 
Section  22. 
Section  23. 
Section  24. 


Scope 

Definitions 

Pretext  Interviews 

Notice  of  Insurance  Information  Practices 

Marketing  and  Research  Surveys 

Content  of  Disclosure  Authorization  Forms 

Investigative  Consumer  Reports 

Access  to  Recorded  Personal  Information 

Correction,  Amendment  or  Deletion  of  Recorded  Personal  Information 

Reasons  for  Adverse  Underwriting  Decisions 

Information  Concerning  Previous  Adverse  Underwriting  Decisions 

Previous  Adverse  Underwriting  Decisions 

Disclosure  Limitations  and  Conditions 

Power  of  Commissioner 

Hearings,  Witnesses,  Appearances,  Production  of  Books  and  Service  of  Process 

Service  of  Process  -  Insurance  Support  Organizations 

Cease  and  Desist  Orders  and  Reports 

Penalties 

Judicial  Review  of  Orders  and  Reports 

Individual  Remedies 

Immunity 

Obtaining  Information  Under  False  Pretenses 

Severability 

Effective  Date 


Preamble 

The  purpose  of  this  Act  is  to  establish  standards  for  the  collection,  use  and  disclosure  of 
information  gathered  in  connection  with  insurance  transactions  by  insurance  institutions,  agents 
or  insurance  support  organizations;  to  maintain  a  balance  between  the  need  for  information  by 
those  conducting  the  business  of  insurance  and  the  public's  need  for  fairness  in  insurance 
information  practices,  including  the  need  to  minimize  intrusiveness;  to  establish  a  regulatory 
mechanism  to  enable  natural  persons  to  ascertain  what  information  is  being  or  has  been  collected 
about  them  in  connection  with  insurance  transactions  and  to  have  access  to  such  information  for 
the  purpose  of  verifying  or  disputing  its  accuracy;  to  limit  the  disclosure  of  information  collected 
in  connection  with  insurance  transactions;  and  to  enable  insurance  applicants  and  policyholders 
to  obtain  the  reasons  for  any  adverse  underwriting  decision. 


Section  1.        Scope 


113 


A.  The  obligations  by  this  Act  shall  apply  to  those  insurance  institutions,  agents  or 
insurance  support  organizations  which,  on  or  after  the  effective  date  of  this  Act: 

( 1 )  In  the  case  of  life,  health  and  disability  insurance: 

(a)  Collect,  receive  or  maintain  information  in  connection  with  insurance 
transactions  which  pertains  to  natural  persons  who  are  residents  of  this 
State,  or 

(b)  Engage  in  insurance  transactions  with  applicants,  individuals  or 
policyholders  who  are  residents  of  this  State,  and 

(2)  In  the  case  of  property  or  casualty  insurance: 

(a)  Collect,  receive  or  maintain  information  in  connection  with  insurance 
transactions  involving  policies,  contracts  or  certificates  of  insurance 
delivered,  issued  for  delivery  or  renewed  in  this  State,  or 

(b)  Engage  in  insurance  transactions  involving  policies,  contracts  or 
certificates  of  insurance  delivered,  issued  for  delivery  or  renewed  in  this 
State. 

B.  The  rights  granted  by  this  Act  shall  extend  to: 

(1)  In  the  case  of  life,  health  or  disability  insurance,  the  following  persons  who 
are  residents  of  this  State: 

(a)  Natural  persons  who  are  the  subject  of  information  collected,  received  or 
maintained  in  connection  with  insurance  transactions,  and 

(b)  Applicants,  individuals  or  policyholders  who  engage  in  or  seek  to  engage 
in  insurance  transactions,  and 

(2)  In  the  case  of  property  or  casualty  insurance,  the  following  persons: 

(a)  Natural  persons  who  are  the  subject  of  information  collected,  received  or 
maintained  in  connection  with  insurance  transactions  involving  policies, 
contracts  or  certificates  of  insurance  delivered,  issued  for  delivery  or 
renewed  in  this  State,  and 

(b)  Applicants,  individuals  or  policyholders  who  engage  in  or  seek  to  engage 
in  insurance  transactions  involving  policies,  contracts  or  certificates  of 
insurance  delivered,  issued  for  delivery  or  renewed  in  this  State. 


114 


C.  For  purposes  of  this  section,  a  person  shall  be  considered  a  resident  of  this  State  if 
the  person's  last  known  mailing  address,  as  shown  in  the  records  of  the  insurance 
institution,  agent  or  insurance  support  organization,  is  located  in  this  State. 

D.  Notwithstanding  Subsections  A  and  B  above,  this  Act  shall  not  apply  to  information 
collected  from  the  public  records  of  a  governmental  authority  and  maintained  by  an 
insurance  institution  or  its  representatives  for  the  purpose  of  insuring  the  title  to  real 
property  located  in  this  State. 

Section  2.        Definitions 

As  used  in  this  Act: 

A.       "Adverse  underwriting  decision"  means: 

(1)      Any  of  the  following  actions  with  respect  to  insurance  transactions  involving 
insurance  coverage  which  is  individually  underwritten: 

(a)  A  declination  of  insurance  coverage; 

(b)  A  termination  of  insurance  coverage; 

(c)  Failure  of  an  agent  to  apply  for  insurance  coverage  with  a  specific 
insurance  institution  which  the  agent  represents  and  which  is  requested 
by  an  applicant; 

(d)  In  the  case  of  a  property  or  casualty  insurance  coverage: 

(i)  Placement  by  an  insurance  institution  or  agent  of  a  risk  with  a 
residual  market  mechanism,  an  unauthorized  insurer  or  an 
insurance  institution  which  specializes  in  substandard  risks;  or 

(ii)  The  charging  of  a  higher  rate  on  the  basis  of  information  which 
differs  from  that  which  the  applicant  or  policyholder  furnished; 

Drafting  Note:  The  use  of  the  term  "substandard"  in  Section  2A(d)(i)  is  intended  to  apply  to 
those  insurance  institutions  whose  rates  and  market  orientation  are  directed  at  risks  other  than 
preferred  or  standard  risks.  To  facilitate  compliance  with  this  Act,  Commissioners  should 
consider  developing  a  list  of  insurance  institutions  operating  in  their  state  which  specialize  in 
substandard  risks  and  make  it  known  to  insurance  institutions  and  agents. 

(e)  In  the  case  of  a  life,  health  or  disability  insurance  coverage,  an  offer  to 
insure  at  higher  than  standard  rates. 


115 


(2)  Notwithstanding  Paragragh  (1)  above,  the  following  actions  shall  not  be 
considered  adverse  underwriting  decisions  but  the  insurance  institution  or 
agent  responsible  for  their  occurrence  shall  nevertheless  provide  the  applicant 
or  policyholder  with  the  specific  reason  or  reasons  for  their  occurrence: 

(a)  The  termination  of  an  individual  policy  form  on  a  class  or  statewide 
basis; 

(b)  A  declination  of  insurance  coverage  solely  because  such  coverage  is  not 
available  on  a  class  or  statewide  basis;  or 

(c)  The  rescission  of  a  policy. 

B.  "Affiliate"  or  "affiliated"  means  a  person  that  directly,  or  indirectly  through  one  or 
more  intermediaries,  controls,  is  controlled  by  or  is  under  common  control  with 
another  person. 

C.  "Agent"  means  [make  reference  here  to  every  appropriate  statutory  category  of 
producer,  including  brokers,  authorized  to  do  business  in  the  State.  This  is  necessary 
because  in  many  states  different  types  of  producers,  or  producers  for  certain  types  of 
insurance  institutions  are  referred  to  by  specific  statutory  terms  in  the  insurance 
code.] 

D.  "Applicant"  means  a  person  who  seeks  to  contract  for  insurance  coverage  other  than 
a  person  seeking  group  insurance  that  is  not  individually  underwritten. 

E.  "Commissioner"  means  [insert  the  appropriate  title  and  statutory  reference  for  the 
principal  insurance  regulatory  official  of  the  State.] 

F.  "Consumer  report"  means  a  written,  oral  or  other  communication  of  information 
bearing  on  a  natural  person's  credit  worthiness,  credit  standing,  credit  capacity, 
character,  general  reputation,  personal  characteristics  or  mode  of  living  which  is 
used  or  expected  to  be  used  in  connection  with  an  insurance  transaction. 

G.  "Consumer  reporting  agency"  means  a  person  who: 

(1)  Regularly  engages,  in  whole  or  in  part,  in  the  practice  of  assembling  or 
preparing  consumer  reports  for  a  monetary  fee; 

(2)  Obtains  information  primarily  from  sources  other  than  insurance  institutions; 
and 

(3)  Furnishes  consumer  reports  to  other  persons. 


116 


H.  "Control,"  including  the  terms  "controlled  by"  or  "under  common  control  with," 
means  the  possession,  direct  or  indirect,  of  the  power  to  direct  or  cause  the  direction 
of  the  management  and  policies  of  a  person,  whether  through  the  ownership  of 
voting  securities,  by  contract  other  than  a  commercial  contract  for  goods  or 
nonmanagement  services,  or  otherwise,  unless  the  power  is  the  result  of  an  official 
position  with  or  corporate  office  held  by  the  person. 

I.  "Declination  of  insurance  coverage"  means  a  denial,  in  whole  or  in  part,  by  an 
insurance  institution  or  agent  of  requested  insurance  coverage. 

J.        "Individual"  means  a  natural  person  who: 

( 1 )  In  the  case  of  property  or  casualty  insurance,  is  a  past,  present  or  proposed 
named  insured  or  certificateholder; 

(2)  In  the  case  of  life,  health  or  disability  insurance,  is  a  past,  present  or  proposed 
principal  insured  or  certificateholder; 

(3)  Is  a  past,  present  or  proposed  policyowner; 

(4)  Is  a  past  or  present  applicant; 

(5)  Is  a  past  or  present  claimant;  or 

(6)  Derived,  derives  or  is  proposed  to  derive   insurance  coverage  under  an 
insurance  policy  or  certificate  subject  to  this  Act. 

K.  "Institutional  source"  means  any  person  or  governmental  entity  that  provides 
information  about  an  individual  to  an  agent,  insurance  institution  or  insurance 
support  organization,  other  than: 

( 1 )  An  agent; 

(2)  The  individual  who  is  the  subject  of  the  information;  or 

(3)  A  natural  person  acting  in  a  personal  capacity  rather  than  in  a  business  or 
professional  capacity. 

L.  "Insurance  institution"  means  any  corporation,  association,  partnership,  reciprocal 
exchange,  inter-insurer,  Lloyd's  insurer,  fraternal  benefit  society  or  other  person 
engaged  in  the  business  of  insurance,  including  health  maintenance  organizations, 
medical  service  plans  and  hospital  service  plans  as  defined  in  [insert  the  applicable 
section  of  the  State  insurance  code  which  defines  health  maintenance  organizations 
or  medical  or  hospital  service  plans.]  "Insurance  institution"  shall  not  include  agents 
or  insurance  support  organizations. 


117 


M.      "Insurance  support  organization"  means: 

(1)  Any  person  who  regularly  engages,  in  whole  or  in  part,  in  the  practice  of 
assembling  or  collecting  information  about  natural  persons  for  the  primary 
purpose  of  providing  the  information  to  an  insurance  institution  or  agent  for 
insurance  transactions,  including: 

(a)  The  furnishing  of  consumer  reports  or  investigative  consumer  reports  to 
an  insurance  institution  or  agent  for  use  in  connection  with  an  insurance 
transaction,  or 

(b)  The  collection  of  personal  infonnation  from  insurance  institutions,  agents 
or  other  insurance  support  organizations  for  the  purpose  of  detecting  or 
preventing  fraud,  material  misrepresentation  or  material  nondisclosure  in 
connection  with  insurance  underwriting  or  insurance  claim  activity. 

(2)  Notwithstanding  Paragraph  (1)  above,  the  following  persons  shall  not  be 
considered  "insurance  support  organizations"  for  purposes  of  this  Act:  agents, 
government  institutions,  insurance  institutions,  medical  care  institutions  and 
medical  professionals. 

N.  "Insurance  transaction"  means  any  transaction  involving  insurance  primarily  for 
personal,  family  or  household  needs  rather  than  business  or  professional  needs 
which  entails: 

(1)  The  determination  of  an  individual's  eligibility  for  an  insurance  coverage, 
benefit  or  payment;  or 

(2)  The  servicing  of  an  insurance  application,  policy,  contract  or  certificate. 

O.  "Investigative  consumer  report"  means  a  consumer  report  or  portion  thereof  in 
which  information  about  a  natural  person's  character,  general  reputation,  personal 
characteristics  or  mode  of  living  is  obtained  through  personal  interviews  with  the 
person's  neighbors,  friends,  associates,  acquaintances  or  others  who  may  have 
knowledge  concerning  such  items  of  information. 

P.  "Medical-care  institution"  means  any  facility  or  institution  that  is  licensed  to  provide 
health  care  services  to  natural  persons,  including  but  not  limited  to:  health- 
maintenance  organizations  home-health  agencies,  hospitals,  medical  clinics,  public 
health  agencies,  rehabilitation  agencies  and  skilled  nursing  facilities. 

Q.  "Medical  professional"  means  any  person  licensed  or  certified  to  provide  health  care 
services  to  natural  persons,  including  but  not  limited  to,  a  chiropractor,  clinical 
dietician,  clinical  psychologist,  dentist,  nurse,  occupational  therapist,  optometrist. 


118 


pharmacist,  physical  therapist,  physician,  podiatrist,  psychiatric  social  worker  or 
speech  therapist. 

R.       "Medical  record  information"  means  personal  information  which: 

(1)  Relates  to  an  individual's  physical  or  mental  condition,  medical  history  or 
medical  treatment;  and 

(2)  Is  obtained  from  a  medical  professional  or  medical  care  institution,  from  the 
individual,  or  from  the  individual's  spouse,  parent  or  legal  guardian. 

S.  "Person"  means  any  natural  person,  corporation,  association,  partnership  or  other 
legal  entity. 

T.  "Personal  information"  means  any  individually  identifiable  information  gathered  in 
connection  with  an  insurance  transaction  from  which  judgments  can  be  made  about 
an  individual's  character,  habits,  avocations,  finances,  occupation,  general 
reputation,  credit,  health  or  any  other  personal  characteristics.  "Personal 
information"  includes  an  individual's  name  and  address  and  "medical  record 
information"  but  does  not  include  "privileged  information". 

U.       "Policyholder"  means  any  person  who: 

(1)  In  the  case  of  individual  property  or  casualty  insurance,  is  a  present  named 
insured; 

(2)  In  the  case  of  individual  life,  health  or  disability  insurance,  is  a  present 
policyowner;  or 

(3)  In  the  case  of  group  insurance  which  is  individually  underwritten,  is  a  present 
group  certificateholder. 

V.  "Pretext  interview"  means  an  interview  whereby  a  person,  in  an  attempt  to  obtain 
information  about  a  natural  person,  performs  one  or  more  of  the  following  acts: 

( 1 )  Pretends  to  be  someone  he  or  she  is  not; 

(2)  Pretends  to  represent  a  person  he  or  she  is  not  in  fact  representing; 

(3)  Misrepresents  the  true  purpose  of  the  interview;  or 

(4)  Refuses  to  identify  himself  or  herself  upon  request. 

W.      "Privileged  information"  means  any  individually  identifiable  information  that: 


119 


(1)  Relates  to  a  claim  for  insurance  benefits  or  a  civil  or  criminal  proceeding 
involving  an  individual;  and 

(2)  Is  collected  in  connection  with  or  in  reasonable  anticipation  of  a  claim  for 
insurance  benefits  or  civil  or  criminal  proceeding  involving  an  individual; 

provided,  however,  information  otherwise  meeting  the  requirements  of  this 
subsection  shall  nevertheless  be  considered  "personal  information"  under  this  Act  if 
it  is  disclosed  in  violation  of  Section  13  of  this  Act. 

Drafting  Note:  The  phrase  "in  reasonable  anticipation  of  a  claim"  contemplates  that  the 
insurance  institution  has  knowledge  of  a  loss  but  has  not  received  formal  notice  of  the  claim. 

X.  "Residual  market  mechanism"  means  an  association,  organization  or  other  entity 
defined  or  described  in  Sections(s)  [insert  those  sections  of  the  State  insurance  code 
authorizing  the  establishment  of  a  FAIR  Plan,  assigned  risk  plan,  reinsurance 
facility,  joint  underwriting  association,  etc.] 

Drafting  Note:  Those  states  having  a  reinsurance  facility  may  want  to  exclude  it  from  this 
definition  if  the  state's  policy  is  not  to  disclose  to  insureds  the  fact  that  they  have  been  reinsured 
in  the  facility. 

Y.  "Termination  of  insurance  coverage"  or  "termination  of  an  insurance  policy"  means 
either  a  cancellation  or  nonrenewal  of  an  insurance  policy,  in  whole  or  in  part,  for 
any  reason  other  than  the  failure  to  pay  a  premium  as  required  by  the  policy. 

Z.  "Unauthorized  insurer"  means  an  insurance  institution  that  has  not  been  granted  a 
certificate  of  authority  by  the  Commissioner  to  transact  the  business  of  insurance  in 
this  state. 

Drafting  Note:  Each  state  must  make  sure  that  this  definition  is  consistent  with  its  surplus  lines 
laws. 

Section  3.        Pretext  Interviews 

No  insurance  institution,  agent  or  insurance  support  organization  shall  use  or  authorize  the  use  of 
pretext  interviews  to  obtain  information  in  connection  with  an  insurance  transaction;  provided, 
however,  a  pretext  interview  may  be  undertaken  to  obtain  information  from  a  person  or 
institution  that  does  not  have  a  generally  or  statutorily  recognized  privileged  relationship  with  the 
person  about  whom  the  information  relates  for  the  purpose  of  investigating  a  claim  where,  based 
upon  specific  information  available  for  review  by  the  Commissioner,  there  is  a  reasonable  basis 
for  suspecting  criminal  activity,  fraud,  material  misrepresentation  or  material  nondisclosure  in 
connection  with  the  claim. 


120 


Drafting  Note:  Some  states  may  desire  to  eliminate  the  exception  in  this  section  and  thereby 
prohibit  pretext  interviews  in  all  instances.  Other  states  may  desire  to  broaden  the  exception  so 
that  pretext  interviews  can  be  utilized  in  underwriting  and  rating  situations  as  well  as  claim 
situations.  States  may  either  expand  or  limit  the  prohibition  against  pretext  interviews  suggested 
in  this  section  to  accommodate  their  individual  needs  and  circumstances.  Deviation  from  the 
standard  developed  here  should  not  seriously  undermine  efforts  to  achieve  uniform  rules  for 
insurance  information  practices  throughout  the  various  states. 

Section  4.        Notice  of  Insurance  Information  Practices 

A.  An  insurance  institution  or  agent  shall  provide  a  notice  of  information  practices  to 
all  applicants  or  policyholders  in  connection  with  insurance  transactions  as  provided 
below: 

(1)  In  the  case  of  an  application  for  insurance,  a  notice  shall  be  provided  no  later 
than: 

(a)  At  the  time  of  the  delivery  of  the  insurance  policy  or  certificate  when 
personal  information  is  collected  only  from  the  applicant  or  from  public 
records;  or 

(b)  At  the  time  the  collection  of  personal  information  is  initiated  when 
personal  information  is  collected  from  a  source  other  than  the  applicant 
or  public  records; 

(2)  In  the  case  of  a  policy  renewal,  a  notice  shall  be  provided  no  later  than  the 
policy  renewal  date,  except  that  no  notice  shall  be  required  in  connection  with 
a  policy  renewal  if: 

(a)  Personal  information  is  collected  only  from  the  policyholder  or'  from 
public  records;  or 

(b)  A  notice  meeting  the  requirements  of  this  section  has  been  given  within 
the  previous  twenty-four  (24)  months;  or 

(3)  In  the  case  of  a  policy  reinstatement  or  change  in  insurance  benefits,  a  notice 
shall  be  provided  no  later  than  the  time  a  request  for  a  policy  reinstatement  or 
change  in  insurance  benefits  is  received  by  the  insurance  institution,  except 
that  no  notice  shall  be  required  if  personal  information  is  collected  only  from 
the  policyholder  or  from  public  records. 

B.  The  notice  required  by  Subsection  A  above  shall  be  in  writing  and  shall  state: 

(1)  Whether  personal  information  may  be  collected  from  persons  other  than  the 
individual  or  individuals  proposed  for  coverage; 


121 


(2)  The  types  of  personal  information  that  may  be  collected  and  the  types  of 
sources  and  investigative  techniques  that  may  be  used  to  collect  such 
information; 

(3)  The  types  of  disclosures  identified  in  subsections  B,  C,  D,  E,  F,  I,  K,  L  and  N 
of  Section  13  of  this  Act  and  the  circumstances  under  which  such  disclosures 
may  be  made  without  prior  authorization;  provided,  however,  only  those 
circumstances  need  be  described  which  occur  with  such  frequency  as  to 
indicate  a  general  business  practice; 

(4)  A  description  of  the  rights  established  under  Sections  8  and  9  of  this  Act  and 
the  manner  in  which  such  rights  may  be  exercised;  and 

(5)  That  information  obtained  from  a  report  prepared  by  an  insurance  support 
organization  may  be  retained  by  the  insurance  support  organization  and 
disclosed  to  other  persons. 

C.  In  lieu  of  the  notice  prescribed  in  Subsection  B,  the  insurance  institution  or  agent 
may  provide  an  abbreviated  notice  informing  the  applicant  or  policyholder  that: 

(1)  Personal  information  may  be  collected  from  persons  other  than  the  individual 
or  individuals  proposed  for  coverage; 

(2)  Such  information  as  well  as  other  personal  or  privileged  information 
subsequently  collected  by  the  insurance  institution  or  agent  may  in  certain 
circumstances  be  disclosed  to  third  parties  without  authorization; 

(3)  A  right  of  access  and  correction  exists  with  respect  to  all  personal  information 
collected;  and 

(4)  The  notice  prescribed  in  Subsection  B  will  be  furnished  to  the  applicant  or 
policyholder  upon  request. 

D.  The  obligations  imposed  by  this  section  upon  an  insurance  institution  or  agent  may 
be  satisfied  by  another  insurance  institution  or  agent  authorized  to  act  on  its  behalf 

Drafting  Note:  If  permitted  under  Section  4A,  an  insurance  institution  or  agent  may  include  the 
notice  in  the  insurance  policy  or  certificate. 

Section  5.        Marketing  and  Research  Surveys 

An  insurance  institution  or  agent  shall  clearly  specify  those  questions  designed  to  obtain 
information  solely  for  marketing  or  research  purposes  from  an  individual  in  connection  with  an 
insurance  transaction. 


122 


Auachmcnl  B 


HEALTH  INFORMATION  PRIVACY  MODEL  ACT 


Table  of  Contents 

Section  1.  Title 

Section  2.  Purpose 

Section  3.  Definitions 

Section  4.  Applicability  and  Scope 

Section  5.  Health  Information  Policies,  Standards  and  Procedures 

Section  6.  Notice  of  Health  Information  Policies,  Standards  and  Procedures 

Section  7.  Right  to  Access  Protected  Health  Information 

Section  8.  Right  to  Amend  Protected  Health  Information 

Section  9.  List  of  Disclosures  of  Protected  Health  Liformation 

Section  10.  Authorization  for  Collection,  Use  or  Disclosure  of  Protected  Health  Information 

Section  11.  Collection,    Use    or    Disclosure    of    Protected    Health    Information    Without 

Authorization:  Generally 

Section  12.  Collection,    Use    or    Disclosure    of    Protected    Health    Information    Without 

Authorization  for  Scientific,  Medical  and  Public  Policy  Research 

Section  13.  Unauthorized  Collection,  Use  or  Disclosure  of  Protected  Health  Information 

Section  14.  Right  to  Limit  Disclosures 

Section  15.  Sanctions 

Section  16.  Regulations 

Section  17.  Separability 

Section  18.  Effective  Date 

Section  1.        Title 

This  Act  may  be  known  and  shall  be  cited  as  the  Health  Information  Privacy  Act. 

Section  2.        Purpose 

The  purpose  of  this  Act  is  to  set  standards  to  protect  health  information  from  unauthorized 
collection,  use  and  disclosure  by  requiring  carriers  to  establish  procedures  for  the  treatment  of  all 
health  information. 

Sections.        Dennitions 


As  used  in  this  Act: 


123 


A.  "Carrier"  means  a  person  or  entity  required  to  be  licensed  or  authorized  by  the 
commissioner  to  assume  risk,  including  but  not  limited  to  an  insurer,  a  hospital, 
medical  or  health  service  corporation,  a  health  maintenance  organization,  a 
provider  sponsored  organization,  a  multiple  employer  welfare  arrangement,  a  self- 
insured  group  fund  or  a  workers'  compensation  self-insurer.  Carrier  does  not 
include  a  non-risk-bearing  regulated  insurance  entity,  such  as  a  producer,  agency 
or  administrator. 

Drafting  Note:  Some  entities  that  collect,  use  or  disclose  protected  health  information  may  not 
be  subject  to  the  jurisdiction  of  the  insurance  commissioner,  but  may  be  subject  to  the 
jurisdiction  of  another  state  agency,  such  as  the  Department  of  Labor  or  the  Department  of 
Health.  States  may  want  to  ensure  fair  and  equitable  regulation  of  all  entities  that  collect,  use  or 
disclose  protected  health  information  by  making  parallel  amendments  to  other  appropriate  state 
laws,  such  as  workers'  compensation  laws. 

B.  "Commissioner"  means  the  insurance  commissioner  of  this  state. 

Drafting  Note:  Use  the  title  of  the  chief  insurance  regulatory  official  wherever  the  term 
"commissioner"  appears.  If  the  jurisdiction  of  certain  health  carriers,  such  as  health  maintenance 
organizations,  lies  with  some  state  agency  other  than  the  insurance  department,  or  if  there  is  dual 
regulation,  a  state  should  add  language  referencing  that  agency  to  ensure  the  appropriate 
coordination  of  responsibilities. 

C.  "Covered  person"  means  a  policyholder,  subscriber,  enroUee,  beneficiary,  insured, 
certificateholder  or  other  person  covered  by  a  policy,  contract  or  agreement  of 
insurance  issued  by  a  carrier. 

D.  "Disclose"  means  to  release,  transfer,  or  otherwise  divulge  protected  health 
information  to  any  person  other  than  to  the  individual  who  is  the  subject  of  the 
protected  health  information. 

E.  "Facility"  means  an  institution  providing  health  care  services  or  a  health  care 
setting,  including  but  not  limited  to  hospitals  and  other  licensed  inpatient  centers, 
ambulatory  surgical  or  treatment  centers,  skilled  nursing  centers,  residential 
treatment  centers,  diagnostic,  laboratory  and  imaging  centers,  and  rehabilitation 
and  other  therapeutic  health  settings. 

F.  "Health  care"  means: 


124 


(1)  Preventive,     diagnostic,    therapeutic,     rehabilitative,    maintenance,    or 
palliative  care,  services,  procedures,  tests  or  counseling  that: 

(a)  Relates  to  the  physical,  mental  or  behavioral  condition  of  an 
individual;  or 

(b)  Affects  the  structure  or  function  of  the  human  body  or  any  part  of 
the  human  body,  including  the  banking  of  blood,  sperm,  organs,  or 
any  other  tissue;  or 

(2)  Prescribing,  dispensing,  or  furnishing  to  an  individual  drugs  or  biologicals, 
or  medical  devices  or  health  care  equipment  and  supplies. 

G.  "Health  care  professional"  means  a  physician  or  other  health  care  practitioner 
licensed,  accredited  or  certified  to  perform  specified  health  services  consistent 
with  state  law. 

H.        "Health  care  provider"  or  "provider"  means  a  health  care  professional  or  facility. 

I.  "Health  information"  means  any  information  or  data,  whether  oral  or  recorded  in 

any  form  or  medium,  and  personal  facts  or  information  about  events  or 
relationships  that  relates  to: 

(1)  The  past,  present  or  future  physical,  mental  or  behavioral  health  or 
condition  of  an  individual  or  a  member  of  the  individual's  family; 

(2)  The  provision  of  health  care  to  an  individual;  or 

(3)  Payment  for  the  provision  of  health  care  to  an  individual. 

J.  "Insurance  support  organization"  means  a  person  that  regularly  engages,  in  whole 

or  in  part,  in  the  practice  of  assembling  or  collecting  information  from  carriers, 
agents  or  other  insurance  support  organizations  for  the  purpose  of  ratemaking  or 
ratemaking-related  functions,  regulatory  or  legislative  cost  analysis,  detecting  or 
preventing  fraud,  material  misrepresentation  or  material  nondisclosure  in 
connection  with  insurance  underwriting  or  insurance  claim  activity.  Persons  that 
are  not  considered  "insurance  support  organizations"  for  purposes  of  this  Act  are 
agents,  government  institutions,  insurance  institutions,  medical  care  institutions 
and  medical  professionals. 


125 


Drafting  Note:  States  may  wish  to  include  either  separately  or  in  the  definition  section,  a 
definition  of  the  term  "insurance  institution,"  from  the  NAIC  Insurance  Information  and  Privacy 
Protection  Model  Act.  "Insurance  institution"  means  any  corporation,  association,  partnership, 
reciprocal  exchange,  inter-insurer,  Lloyd's  insurer,  fraternal  benefit  society  or  other  person 
engaged  in  the  business  of  insurance,  including  health  maintenance  organizations,  medical 
service  plans  and  hospital  service  plans  as  defined  in  [insert  applicable  section  of  the  State 
insurance  code  which  defines  health  maintenance  organization  or  medical  or  hospital  service 
plans.] 

K.  "Person"  means  an  individual,  a  corporation,  a  partnership,  an  association,  a  joint 
venture,  a  joint  stock  company,  a  trust,  an  unincorporated  organization,  any 
similar  entity  or  a  combination  of  the  foregoing. 

L.         "Protected  health  information"  means  health  information: 

(1)  That  identifies  an  individual  who  is  the  subject  of  the  information;  or 

(2)  With  respect  to  which  there  is  a  reasonable  basis  to  believe  that  the 
information  could  be  used  to  identify  an  individual. 

M.  "Research"  means  the  process  of  systematic  investigation  or  inquiry  including,  but 
not  limited  to  any  of  the  following:  the  systematic  development  and  testing  of  a 
hypothesis;  and  the  systematic  description,  analysis  and  measurement  of 
processes,  behaviors  and  physical,  social,  political  or  medical  phenomena. 

N.  "Research  organization"  means  a  person  or  organization,  other  than  the  carrier 
disclosing  the  protected  health  information,  engaged  in  research. 

O.        (1)       "Scientific,  medical  or  public  policy  research"  means  research  conducted 
to  improve  the  effectiveness  of: 

(a)  E>etermining  medical  causation,  diagnosis  and  treatment; 

(b)  Public  health;  or 

(c)  The  operations  of  the  public  or  private  health  care,  insurance  or 
workers*  compensation  systems;  and 

(2)        (a)        The  results  of  the  research  are  intended  for  publication; 


65-149    2001-5 


126 


(b)  The  research  findings  are  intended  to  be  widely  disseminated 
beyond  the  carrier  and  research  organization  so  as  to  benefit  the 
public  good;  and 

(3)        The  scientific,  medical  or  public  policy  research  excludes  all  activities 
listed  in  Section  lOH(l). 

P.  "Unauthorized"  means  a  collection,  use  or  disclosure  of  protected  health 
information  made  by  a  carrier  without  the  authorization  of  the  subject  of  that 
protected  health  information  or  that  is  not  in  compliance  with  this  Act,  unless 
collection,  use  or  disclosure  without  an  authorization  is  permitted  by  this  Act. 

Section  4.        Applicability  and  Scope 

This  Act  applies  to  all  carriers  and  governs  the  management  of  health  information,  including  the 
collection,  use,  and  disclosure  of  protected  health  information  by  carriers. 

Section  5.        Health  Information  Policies,  Standards  and  Procedures 

A.  A  carrier  shall  develop  and  implement  written  policies,  standards  and  procedures 
for  the  management  of  health  information,  including  policies,  standards  and 
procedures  to  guard  against  the  unauthorized  collection,  use  or  disclosure  of 
protected  health  information  by  the  carrier  which  shall  include: 

(1)  Limitation  on  access  to  health  information  by  only  those  pjersons  who  need 
to  use  the  health  information  in  order  to  perform  their  jobs; 

(2)  Appropriate  training  for  all  employees; 

(3)  Disciplinary  measures  for  violations  of  the  health  information  policies, 
standards  and  procedures; 

(4)  Identification  of  the  job  titles  and  job  descriptions  of  persons  that  are 
authorized  to  disclose  protected  health  information; 

(5)  Procedures  for  authorizing  and  restricting  the  collection,  use  or  disclosure 
of  protected  health  information; 

(6)  Methods  for  exercising  the  right  to  access  and  amend  protected  health 
information  as  provided  in  Sections  7  and  8; 


127 


(7)  Methods  for  handling,  disclosing,  storing  and  disposing  of  health 
information; 

(8)  Periodic  monitoring  of  the  employees'  compliance  with  the  carrier's 
policies,  standards  and  procedures  in  a  manner  sufficient  for  the  carrier  to 
determine  compliance  with  this  Act  and  to  enforce  its  policies,  standards 
and  procedures;  and 

(9)  Methods  for  informing  and  allowing  an  individual  who  is  the  subject  of 
protected  health  information  to  request  specialized  disclosure  or 
nondisclosure  of  protected  health  information  as  required  under  Section 
14. 

B.  (1)        In  any  contractual  arrangement  between  a  carrier  and  a  person  other  than  a 

covered  person  or  health  care  provider  where  the  person  collects  or  uses 
protected  health  information  on  behalf  of  the  carrier  or  where  the  carrier 
discloses  protected  health  information  to  the  person  a  carrier  shall: 

(a)  Require  the  person  to  have  health  information  policies,  standards 
and  procedures  that  comply  with  the  requirements  of  this  Act;  and 

(b)  Inform  the  person  of  its  obligation  to  comply  with  any  applicable 
state  and  federal  statutory  and  regulatory  requirements  governing 
the  collection,  use  or  disclosure  of  protected  health  information. 

(2)  In  any  contractual  arrangement  between  a  carrier  and  a  health  care 
provider,  a  carrier  shall  require  that  the  health  care  provider  have  health 
information  privacy  policies,  standards  and  procedures. 

(3)  Notwithstanding  Section  18,  all  contractual  arrangements  described  in  this 
subsection  in  effect  on  [insert  effective  date],  shall  comply  with  this  Act 
no  later  than  eighteen  (18)  months  after  [insert  effective  date]  or  the 
renewal  date  of  the  contract,  whichever  is  earlier. 

C.  A  carrier  shall  make  the  health  information  policies,  standards  and  procedures 
developed  pursuant  to  this  section  available  for  review  by  the  commissioner. 

Section  6.        Notice  of  Health  Information  Policies,  Standards  and  Procedures 


128 


A.  A  carrier  shall  draft  a  written  notice  of  its  health  information  policies,  standards 
and  procedures  developed  pursuant  to  Section  5,  which  shall  be  made  available 
for  review  by  the  commissioner.  The  notice  shall  include: 

(1)  The   collection,   use   and   disclosure   of  protected   health   information 
prohibited  and  permitted  by  this  Act; 

(2)  The  procedures  for  authorizing  and  limiting  disclosures  of  protected  health 
information  and  for  revoking  authorizations; 

(3)  The  procedures  for  accessing  and  amending  protected  health  information; 
and 

(4)  The  right  of  a  covered  person  to  review  a  copy  of  the  carrier's  health 
information  policies,  standards  and  procedures. 

B.  The  carrier  shall  provide  the  notice  to  any  person  upon  request,  to  covered  persons 
at  the  time  the  policy  is  first  delivered,  and  to  all  other  individuals  when 
requesting  an  authorization.  If  subsequent  policies  are  issued  to  the  same  insured, 
no  additional  notices  are  required  to  be  included  when  those  subsequent  policies 
are  delivered. 

Drafting  Note:  The  language  regarding  subsequent  policies  is  meant  to  clarify  that  notice  does 
not  need  to  be  redelivered  every  time  changes  are  made  to  the  policy  a  carrier  has  with  an 
existing  policyholder.  For  example,  notice  need  not  be  redelivered  when  an  automobile  is  added 
to  an  automobile  insurance  policy. 

Section  7.        Right  to  Access  Protected  Health  Information 

A.  Subject  to  the  exceptions  listed  in  Subsection  B(3)  of  this  section,  an  individual 
who  is  the  subject  of  the  protected  health  information  has  the  right  to  examine  or 
receive  a  copy  of  the  protected  health  information  that  is  in  the  possession  of  the 
carrier  or  a  person  acting  on  behalf  of  the  carrier. 

B.  No  later  than  twenty  (20)  working  days  after  receipt  of  a  written  request  for 
protected  health  information  from  an  individual  who  is  the  subject  of  protected 
health  information,  a  carrier  shall  do  one  of  the  following: 


129 


(1)  Provide  a  copy  of  the  protected  health  information  requested  to  the 
individual  or  if  providing  a  copy  is  not  possible,  permit  the  individual  to 
examine  the  protected  health  information  during  regular  business  hours; 

(2)  Notify  the  individual  that  the  carrier  does  not  have  the  protected  health 
information  and,  if  known,  inform  the  individual  of  the  name  and  address 
of  the  person  who  has  the  protected  health  information  requested  or,  if  the 
carrier  will  be  obtaining  access  to  the  requested  protected  health 
information,  when  the  protected  health  information  is  expected  to  be 
available  to  the  individual;  or 

(3)  Deny  the  request  in  whole  or  in  part  if  the  carrier  determines  any  of  the 
following: 

(a)  Knowledge  of  the  protected  health  information  would  reasonably 
be  expected  to  identify  a  confidential  source  who  provided  the 
protected  health  information  in  conjunction  with  a  lawfully 
conducted  investigation,  law  enforcement  investigation,  or  court 
proceeding; 

(b)  The  protected  health  information  was  compiled  in  preparation  for 
litigation,  law  enforcement  or  fraud  investigation,  quality  assurance 
or  peer  review  purposes; 

(c)  The  protected  health  information  is  the  original  work  product  of 
the  carrier,  which  would  include  but  not  be  limited  to 
interpretation,  mental  impressions,  instructions  and  other  original 
product  of  the  carrier,  its  employees  and  agents; 

(d)  The  requester  is  a  party  to  a  legal  proceeding  involving  the  carrier 
where  the  health  condition  of  the  requester  is  at  issue.  However, 
once  a  legal  proceeding  is  resolved,  the  individual's  right  to  access 
protected  health  information  under  this  section  and  to  amend 
protected  health  information  under  Section  8  shall  be  restored;  or 

(e)  Disclosure  of  the  protected  health  information  to  the  individual 
who  is  the  subject  of  the  protected  health  information  is  otherwise 
prohibited  by  law. 


130 


C.  If  a  request  to  examine  or  copy  protected  health  information  is  denied  in  whole  or 
in  part  under  this  section,  the  carrier  shall  notify  the  individual  who  is  the  subject 
of  the  protected  health  information  of  the  reasons  for  the  denial  in  writing.  When 
the  protected  health  information  was  compiled  in  preparation  for  litigation,  law 
enforcement  or  fraud  investigation,  the  carrier  is  not  required  to  notify  the 
individual  of  the  reasons  for  the  denial. 

Drafting  Note:  When  the  information  that  has  been  requested  is  not  subject  to  release,  the  carrier 
should  inform  the  requester  that  all  information  required  to  be  released  under  this  Act  has  been 
released. 

D.  A  carrier  is  not  required  to  create  a  new  record  or  reformulate  an  existing  record 
in  order  to  meet  a  request  for  protected  health  information. 

E.  The  carrier  may  charge  a  reasonable  fee  for  providing  the  protected  health 
information  requested  and  shall  provide  a  detailed  bill  accounting  for  the  charges. 
No  charge  shall  be  made  for  reproduction  of  protected  health  information 
requested  for  the  purpose  of  supporting  a  claim,  supporting  an  appeal  or  accessing 
any  federal  or  state  sponsored  or  operated  health  benefits  program. 

Section  8.         Right  to  Amend  Protected  Health  Information 

A.  An  individual  who  is  the  subject  of  protected  health  information  has  the  right  to 
amend  the  protected  health  information  to  correct  any  inaccuracies. 

B.  Within  thirty  (30)  working  days  after  receipt  of  a  written  request  from  an 
individual  who  is  the  subject  of  protected  health  information  to  amend  protected 
health  information,  a  carrier  shall  act  to  verify  the  accuracy  of  protected  health 
information  identified  as  erroneous  by  the  individual  and  shall  do  one  of  the 
following: 

(1)  Correct  or  amend  (either  by  changing  the  information  in  question  or 
adding  additional  information  as  provided  by  the  individual),  or  delete  the 
portion  of  the  protected  health  information  in  dispute  and  notify  the 
individual  of  the  changes;  or 


(2)       Notify  the  individual  that  the  request  has  been  denied,  the  reason  for  the 
denial,  and  that  the  individual  may: 


131 


(a)  Request  that  the  health  care  provider  who  created  the  record  in 
question  amend  the  record.  The  carrier  shall  include  the  health  care 
provider's  name  and  address;  or 

(b)  File  a  concise  statement  of  what  the  individual  believes  to  be  the 
correct  information  and  the  reasons  why  the  individual  disagrees 
with  the  denial.  The  carrier  shall  retain  this  statement  filed  by  the 
individual  with  the  protected  health  information. 

C.  If  the  carrier  corrects,  amends  or  deletes  the  protected  health  information  as 
requested  pursuant  to  Subsection  B{1),  the  carrier  shall  furnish  the  correction, 
amendment  or  deletion  to: 

(1)  All  persons  who  have  received  the  protected  health  information  that  has 
been  corrected,  amended  or  deleted  from  the  carrier  within  the  preceding 
two  (2)  years; 

(2)  An  insurance  support  organization  whose  primary  source  of  protected 
health  information  is  carriers,  as  long  as  the  insurance  support 
organization  has  systematically  received  protected  health  information  from 
the  carrier  within  the  preceding  seven  (7)  years.  However,  the  correction, 
amendment  or  deletion  need  not  be  furnished  if  the  insurance  support 
organization  no  longer  maintains  the  protected  health  information  that  has 
been  corrected,  amended  or  deleted;  and 

(3)  Any  person  that  furnished  the  protected  health  information  that  was 
amended  pursuant  to  Subsection  B(l). 

D.  If  the  individual  who  is  the  subject  of  the  protected  health  information  files  a 
statement  pursuant  to  Subsection  B(2)(b),  the  carrier  shall: 

(1)  Clearly  identify  the  matter  or  matters  in  dispute  and  include  the  statement 
in  any  subsequent  disclosure  of  the  protected  health  information;  and 

(2)  Furnish  the  statement  to  the  persons  described  in  Subsection  C. 

E.  Nothing  in  this  section  shall  require  a  carrier  to  alter,  delete,  erase  or  obliterate 
medical  records  provided  to  them  by  a  health  care  provider. 


132 


F.  Nothing  in  this  section  shall  be  construed  to  give  a  person  access  to  protected 
health  information  covered  by  the  exceptions  listed  in  Section  7B(3). 

Section  9.        List  of  Disclosures  of  Protected  Health  Information 

A.  A  carrier  shall  provide  upon  request,  to  an  individual  who  is  the  subject  of  the 
protected  health  information,  information  regarding  disclosure  of  that  individual's 
protected  health  information  that  is  sufficient  to  exercise  the  right  to  amend  the 
information  pursuant  to  Section  8.  This  information  shall  include  the  date, 
purpose,  recipient  and  relevant  authorization  or  basis  for  the  disclosure.  The 
carrier  may  charge  a  reasonable  fee  for  providing  the  information  regarding  the 
disclosures  of  information. 

B.  A  carrier  shall  maintain  a  system  that  is  sufficient  for  the  commissioner  to 
determine  that  the  carrier  can  produce  a  complete  list  of  disclosures. 


C. 


Section  10. 


(1)  For  routine  disclosures,  a  carrier  shall  be  able  to  track  when  routine 
disclosures  are  made,  to  whom  they  are  made  and  for  what  purpose  they 
are  made;  and 

(2)  For  all  other  disclosures,  a  carrier  shall  be  able  to  identify  the  authorization 
or  release  form  or  provision  of  law  allowing  the  receipt  or  disclosure  of 
protected  health  information. 

A  carrier  is  not  required  to  include  in  the  information  developed  pursuant  to 
Section  9A  any  disclosures  of  protected  health  information  that  were  compiled  in 
preparation  for  litigation,  law  enforcement  or  fraud  investigation. 

Authorization  for  Collection,  Use  or  Disclosure  of  Protected  Health 
Information 


A  carrier  shall  not  collect,  use  or  disclose  protected  health  information  without  a 
valid  authorization  from  the  subject  of  the  protected  health  information,  except  as 
permitted  by  Section  1 1  of  this  Act  or  as  permitted  or  required  by  law  or  court 
order.  Authorization  for  the  disclosure  of  protected  health  information  may  be 
obtained  for  any  purpose,  provided  that  the  authorization  meets  the  requirements 
of  this  section. 


B.         A  carrier  shall  retain  the  authorization  or  a  copy  thereof  in  the  record  of  the 
individual  who  is  the  subject  of  the  protected  health  information. 


133 


A  valid  authorization  shall  be  in  writing  and  contain  all  the  following: 

( 1 )  The  identity  of  the  individual  who  is  the  subject  of  the  protected  health 
information; 

(2)  A  description  of  the  types  of  protected  health  information  to  be  collected, 
used  or  disclosed.  If  the  authorization  is  in  support  of  an  application  for 
coverage  where  tests,  including  genetic  tests,  and  examinations  are  to  be 
performed  in  conjunction  with  underwriting  the  application,  the 
authorization  shall  include  a  description  of  the  types  of  tests  or 
examinations  to  be  performed  and  shall  be  accompanied  by  a  statement 
that  the  tested  individual  may  choose  whether  to  receive  the  results  of  any 
laboratory  tests  or  medical  examinations  performed.  In  cases  where  the 
authorization  is  other  than  in  support  of  an  application  for  coverage,  and 
tests,  including  genetic  tests,  and  examinations  are  to  be  performed,  an 
individual  may  choose  whether  to  receive  the  results  of  any  laboratory 
tests  or  medical  examinations  performed  and  obtain,  upon  request,  a 
detailed  list  of  laboratory  tests  or  medical  examinations  to  be  performed 
before  tests  or  examinations  are  administered; 

(3)  A  general  description  of  the  sources  from  which  protected  health 
information  will  be  collected; 

(4)  The  name  and  address  of  the  person  to  whom  the  protected  health 
information  is  to  be  disclosed,  except  that  an  authorization  provided  to  a 
carrier  for  collection  of  protected  health  information  to  support  insurance 
functions  listed  in  Section  lOH  may  generally  describe  the  persons  to 
whom  protected  health  information  may  be  disclosed; 

(5)  The  purpose  of  the  authorization,  including  the  reason  for  the  collection, 
the  intended  use  of  the  protected  health  information,  and  the  scope  of  any 
disclosures  that  may  be  made  in  carrying  out  the  purpose  for  which  the 
authorization  is  requested,  provided  those  disclosures  are  not  otherwise 
prohibited  by  law; 

(6)  The  signature  of  the  individual  who  is  the  subject  of  the  protected  health 
information  or  the  individual  who  is  legally  empowered  to  grant  authority 
and  the  date  signed;  and 


134 


(7)  A  statement  that  the  individual  who  is  the  subject  of  the  protected  health 
information  may  revoke  the  authorization  at  any  time,  except  as  provided 
in  Subsection  G  and  subject  to  the  rights  of  any  person  that  acted  in 
reliance  on  the  authorization  prior  to  revocation. 

D.  An  authorization  shall  specify  a  length  of  time  for  which  the  authorization  shall 
remain  valid,  which  in  no  event  shall  be  for  more  than  twelve  (12)  months,  except 
an  authorization  signed  for  one  of  the  following  purposes: 

(1)  For  the  collection  of  protected  health  information  to  support  insurance 
functions  listed  in  Section  lOH,  in  which  event  the  authorization  shall 
remain  valid  during  the  entire  term  of  the  policy  or  as  long  as  necessary  for 
the  carrier  to  meet  its  obligations  under  the  policy  or  as  otherwise  required 
by  law; 

(2)  To  support  an  application  for,  a  reinstatement  of,  or  a  change  in  benefits 
under  a  life  insurance  policy,  in  which  event  the  authorization  shall  expire 
in  thirty  (30)  months  or  whenever  the  application  is  denied,  whichever 
occurs  first;  or 

(3)  To  support  or  facilitate  ongoing  management  of  a  chronic  condition  or 
illness  or  rehabilitation  from  an  injury. 

E.  A  carrier  shall  obtain  a  separate  authorization  to  disclose  protected  health 
information  to  an  individual's  employer,  including  the  employer's  designated  risk 
manager,  unless: 

(1)  The  protected  health  information  is  disclosed  pursuant  to  the  employer's 
workers'  compensation  program,  to  the  extent  necessary  for  the 
performance  of  the  employer's  and  carrier's  rights  and  duties  under  state 
laws  governing  workers'  compensation; 

(2)  The  protected  health  information  is  disclosed  pursuant  to  the  employer's 
administration  of  a  health  and  welfare  benefit  plan;  or 

(3)  The  protected  health  information  is  necessary  to  the  administration  of 
claims  pursuant  to  a  commercial  lines  policy. 

F.  A  carrier  shall  obtain  a  separate  authorization  to  collect,  use  or  disclose  protected 
health  information  if  the  purpose  of  the  collection,  use  or  disclosure  under 


135 


Subsection  C(5)  is  for  the  marketing  of  services  or  goods,  or  for  other  commercial 
gain.  The  puqwse  of  the  collection,  use  or  disclosure  shall  appear  as  a  separate 
paragraph  in  bold  type  no  smaller  than  twelve  (12)  point.  The  purpose  shall  be 
stated  in  clear  and  simple  terms.  The  request  for  authorization  shall  specify  that 
the  authorization  shall  remain  valid  for  no  more  than  twelve  (12)  months  and  may 
be  revoked  at  any  time.  The  request  for  authorization  shall  state  that  the  terms 
and  conditions  of  all  insurance  policies  will  not  be  affected  in  any  way  by  a 
refusal  to  give  authorization.  A  separate  authorization  is  not  required  if  the  use  or 
disclosure  is  internal  or  to  an  affiliate  and  the  only  use  of  the  information  will  be 
in  connection  with  the  marketing  of  an  insurance  product,  provided  the  affiliate 
agrees  not  to  disclose  the  information  for  any  other  purpose  or  to  unaffiliated 
persons.  With  respect  to  insurance  products,  the  individual  shall  be  given  an 
opportunity  to  indicate  that  he  or  she  does  not  want  protected  health  information 
used  for  marketing  purposes  and  shall  have  given  no  indication  that  he  or  she  does 
not  want  protected  health  information  used  for  these  purposes. 

G.  An  individual  who  is  the  subject  of  protected  health  information  may  revoke  an 
authorization  at  any  time,  subject  to  the  rights  of  any  person  who  acted  in  reliance 
on  the  authorization  prior  to  notice  of  revocation.  A  revocation  of  an 
authorization  shall  be  in  writing,  dated  and  signed.  A  revocation  of  an 
authorization  shall  be  retained  by  the  carrier  in  the  record  of  the  individual  who  is 
the  subject  of  the  protected  health  information.  A  carrier  shall  give  prompt  notice 
of  the  revocation  to  all  persons  to  whom  the  carrier  has  disclosed  protected  health 
information  in  reliance  on  the  initial  authorization. 

H.  (1)  A  carrier  that  has  collected  protected  health  information  pursuant  to  a 
valid  authorization  in  accordance  with  this  Act,  may  use  and  disclose  the 
protected  health  information  to  a  person  acting  on  behalf  of  or  at  the 
direction  of  the  carrier  for  the  performance  of  the  carrier's  insurance 
functions:  claims  administration,  claims  adjustment  and  management, 
fraud  investigation,  underwriting,  loss  control,  rate-making  functions, 
reinsurance,  risk  management,  case  management,  disease  management, 
quality  assessment,  quality  improvement,  provider  credentialing 
verification,  utilization  review,  peer  review  activities,  grievance 
procedures,  and  internal  administration  of  compliance,  managerial, 
information  systems,  and  policyholder  service  functions.  Additional 
insurance  functions  may  be  allowed  with  the  prior  approval  of  the 
commissioner. 


136 


(2)  The  protected  health  information  shall  not  be  used  or  disclosed  for  any 
purpose  other  than  in  the  performance  of  the  carrier's  insurance  functions, 
except  as  otherwise  permitted  in  this  Act. 

I.  An  authorization  to  collect,  use  or  disclose  protected  health  information  pursuant 

to  this  Act  or  a  production  of  protected  health  information  pursuant  to  a  court 
order  shall  not  be  construed  to  constitute  a  waiver  of  any  other  privacy  right 
provided  to  an  individual  who  is  the  subject  of  protected  health  information  by 
other  federal  or  state  laws,  common  law,  or  rules  of  evidence. 

J.  A  person  who  receives  protected  health  information  from  a  carrier  shall  not  use 

the  protected  health  information  for  any  purpose  other  than  the  lawful  purpose  for 
which  it  was  disclosed. 

K.  Nothing  in  this  Act  requires  a  carrier  to  provide  a  benefit  or  commence  or 
continue  payment  of  a  claim  in  the  absence  of  protected  health  information  to 
support  or  deny  the  benefit  or  claim. 

L.  A  carrier  that  has  collected  protected  health  information  prior  to  the  effective  date 
of  this  Act  is  not  required  to  obtain  an  authorization  for  the  information;  however 
the  information  may  only  be  used  or  disclosed  in  accordance  with  this  Act  after 
the  effective  date. 

Drafting  Note:  States  with  laws  addressing  the  electronic  transmission  of  information  may  want 
to  specifically  authorize  the  use  of  electronic  authorizations  in  this  section. 

Section  11.      Collection,  Use  and  Disclosure  of  Protected  Health  Information  Without 
Authorization:  Generally 

A.  A  carrier  may  engage  in  the  following  activities  with  regard  to  protected  health 
information  without  authorization  in  the  following  circumstances  or  as  otherwise 
permitted  by  law: 

(1)  Collect  protected  health  information  from  or  disclose  protected  health 
information  to  a  carrier,  provided  that  the  carrier  that  is  receiving  the 
information: 

(a)  Is  investigating,  evaluating,  adjusting  or  settling  a  claim  involving 
the  individual  who  is  the  subject  of  the  protected  health 
information:  or 


137 


(b)  Has  become  or  is  considering  becoming  liable  under  a  policy 
insuring  the  individual  who  is  the  subject  of  the  protected  health 
information  as  a  result  of  a  merger,  acquisition  or  other  assumption 
of  such  liability; 

(2)  Collect,  use  or  disclose  protected  health  information  to  the  extent 
necessary  to  investigate,  evaluate,  subrogate  or  settle  third  party  claims, 
provided  that  the  claimant  is  the  subject  of  the  protected  health 
information  and  the  protected  health  information  is  used  for  no  other 
purpose  without  a  valid  authorization  or  the  use  is  otherwise  permitted 
under  federal  or  state  law; 

(3)  (a)        Collect,  use  or  disclose  protected  health  information  to  or  from  an 

insurance  support  organization  provided  that: 

(i)  The  insurance  support  organization  has  in  place  health 
information  policies,  standards  and  procedures  to  ensure 
compliance  with  the  requirements  of  this  Act;  and 

(ii)  The  protected  health  information  is  used  only  to  perform 
the  insurance  functions  of  claims  settlement,  detection  and 
prevention  of  fraud,  or  detection  and  prevention  of  material 
misrepresentation  or  material  nondisclosure;  or 

(iii)  The  protected  health  information  is  collected  and  used 
internally  only  to  perform  the  insurance  functions  of 
ratemaking  and  ratemaking-related  functions  or  regulatory 
or  legislative  cost  analysis;  and 

(b)  Additional  insurance  functions  may  be  added  to  Subparagraphs 
(3)(a)(ii)  and  (iii)  with  prior  approval  of  the  commissioner; 

(4)  If  the  protected  health  information  is  necessary  to  provide  ongoing  health 
care  treatment,  and  if  the  disclosure  has  not  been  limited  or  prohibited  by 
the  covered  person  who  is  the  subject  of  the  information,  collect  protected 
health  information  from  or  disclose  protected  health  information  to: 

(a)  A  health  care  provider,  employed  by  the  carrier,  who  is  furnishing 
health  care  to  a  covered  person; 


138 


(b)  A  health  care  provider  with  whom  the  carrier  contracts  to  provide 
health  care  services  to  covered  persons;  or 

(c)  A  referring  health  care  provider  who  continues  to  furnish  health 
care  to  a  covered  person; 

(5)  Disclose  protected  health  information  to  a  person  engaged  in  the 
assessment,  evaluation  or  investigation  of  the  quality  of  health  care 
furnished  by  a  provider  pursuant  to  statutory  or  regulatory  standards  or 
pursuant  to  the  requirements  of  a  private  or  public  program  authorized  to 
provide  for  the  payment  of  health  care; 

(6)  Subject  to  the  limits  of  Section  14A,  disclose  protected  health  information 
to  reveal  a  covered  person's  presence  in  a  facility  owned  by  the  carrier  and 
the  covered  person's  general  health  condition,  provided  that  the  disclosure 
is  limited  to  directory  information,  unless  the  covered  person  has  restricted 
that  disclosure  or  the  disclosure  is  otherwise  prohibited  by  law.  For  the 
purposes  of  this  paragraph,  directory  information  means  information  about 
the  presence  or  general  health  condition  of  a  particular  covered  person 
who  is  a  patient  or  is  receiving  emergency  health  care  in  a  health  care 
facility.  General  health  condition  means  the  covered  person's  general 
health  condition  or  status  described  as  "critical,"  "poor,"  "fair,"  "good," 
"excellent,"  or  in  terms  that  denote  similar  conditions; 

(7)  Collect,  use  or  disclose  protected  health  information  when  the  protected 
health  information  is  necessary  to  the  performance  of  the  carrier's 
obligations  under  any  workers'  compensation  law  or  contract; 

(8)  Collect  protected  health  information  from  or  disclose  protected  health 
information  to  a  reinsurer,  stop  loss  or  excess  loss  carrier  for  the  purpose 
of  underwriting,  claims  adjudication  and  conducting  claim  file  audits; 

(9)  Collect  protected  health  information  from  the  individual  who  is  the  subject 
of  the  protected  health  information;  and 

(10)  Collect,  use  or  disclose  protected  health  information  when  the  protected 
health  information  is  obtained  from  public  sources  such  as  newspapers, 
public  agency  reports,  and  law  enforcement  or  public  safety  reports. 

B.         Unless  otherwise  restricted  by  this  section,  a  carrier  that  has  collected  protected 
health  information  without  an  authorization  pursuant  to  Section  1 1  A,  may  use  and 


139 


disclose  the  information  to  a  person  acting  on  behalf  of  or  at  the  direction  of  the 
carrier  to  perform  the  insurance  functions  listed  in  Section  lOH. 

C.  A  carrier  shall  disclose  protected  health  information  in  any  of  the  following 
circumstances: 

( 1 )  To  federal,  state  or  local  governmental  authorities  to  the  extent  the  carrier 
disclosing  the  protected  health  information  is  required  by  law  to  report 
protected  health  information  or  for  fraud  reporting  purposes; 

(2)  The  protected  health  information  is  needed  for  one  of  the  following 
purposes: 

(a)  To  identify  a  deceased  individual; 

(b)  To  determine  the  cause  and  manner  of  death  by  a  chief  medical 
examiner  or  the  medical  examiner's  designee;  or 

(c)  To    provide    necessary    protected    health    information    about    a 
deceased  individual  who  is  a  donor  of  an  anatomical  gift; 

(3)  To  a  state  department  of  insurance  that  is  performing  an  examination, 
investigation,  or  audit  of  the  carrier;  or 

(4)  Pursuant  to  a  court  order  issued  after  the  court's  determination  that  the 
public  interest  in  disclosure  outweighs  the  individual's  privacy  interest  and 
that  the  protected  health  information  is  not  reasonably  available  by  other 
means. 

Drafting  Note:  States  may  wish  to  consider  whether  they  should  revise  rules  of  civil  procedure 
to  establish  appropriate  safeguards,  including  notice  mechanisms  and  protective  orders, 
restricting  redisclosure,  to  protect  the  rights  of  individuals  who  are  subjects  of  protected  health 
information  in  the  context  of  litigation  to  which  they  are  nonparties,  and  to  avoid  the  misuse  of 
subpoenas  and  discovery  requests  to  circumvent  the  protections  of  this  Act. 

D.  A  disclosure  of  protected  health  information  made  pursuant  to  Subsection  C  shall 
not  be  construed  to  be  or  to  operate  as  a  waiver  of  privacy  rights  provided  by  other 
federal  or  state  laws,  rules  of  evidence  or  common  law. 


140 


Section  12:      Disclosure  of  Protected   Health  Information  Without  Authorization  for 
Scientiflc,  Medical  and  Public  Policy  Research 

A.  A  carrier  may  disclose  protected  health  information  without  authorization  to 
research  organizations  conducting  scientific,  medical  or  public  policy  research  as 
provided  in  this  Act. 

B-         ( 1 )        A  carrier  shall  keep  a  record  of  research  organizations  to  which  it  discloses 
protected  health  information. 

(2)        The  carrier  shall  keep  the  record  five  (5)  years. 

C.  A  carrier  shall  not  disclose  protected  health  information  to  a  research  organization 
unless  the  research  organization  agrees  that  the  protected  health  information  shall 
not  be  disclosed  by  the  research  organization  to  a  third  person.  However,  the 
research  organization  may  disclose  the  protected  health  information  to  its  agents, 
collaborators,  or  contractors  as  needed  to  conduct  or  assist  with  the  research,  as 
long  as  all  requirements  of  this  section  are  applied  to  the  agent,  collaborator,  or 
contractor. 

D.  A  carrier  shall  disclose  only  the  minimum  data  necessary  to  conduct  the  intended 
research.  Protected  health  information  shall  be  disclosed  only  where 
identification  is  necessary  to  conduct  the  research. 

E.  If  the  scientific,  medical  or  public  policy  research  does  not  require  contact  with 
the  individual  who  is  the  subject  of  the  protected  health  information,  the  following 
protections  shall  exist  prior  to  disclosure: 

(1)  The  research  organization  develops  and  implements  a  written  policy  that 
includes  procedures  to  assure  the  security  and  privacy  of  protected  health 
information.  The  policy  shall  include: 

(a)  Training  and  disciplinary  procedures  to  assure  that  persons 
involved  in  research  comply  with  the  provisions  of  this  Act; 

(b)  Safeguards  to  assure  that  information  in  a  report  of  the  research 
project  docs  not  contain  protected  health  information.  The 
safeguards  shall  include  a  system  for  ensuring  that  only  authorized 
individuals  are  able  to  establish  a  link  between  individuals  and 
their  health  information;  and 

(c)  A  method  for  removing  all  information  that  identifies,  directly  or 
indirectly  through  reference  to  publicly  available  information,  the 
individual  who  is  the  subject  of  the  protected  health  information, 
when  the  information  is  no  longer  needed  for  research  that  is 


141 


otherwise  permitted  under  this  subsection.  The  policy  may  also 
provide  that  the  research  organization  may  retain  the  protected 
health  information  for  an  indefinite  period  if  archived  in  an 
encoded  form,  and  it  may  not  be  used  for  other  research  unless  the 
requirements  of  this  section  are  met.  "Encoded"  as  used  in  this 
subparagraph  means  that  the  personally  identifiable  information  of 
the  data  is  removed  or  encrypted  and  the  key  to  restore  the 
protected  health  information  is  retained  in  a  secure  place  within  the 
research  organization  with  access  limited  to  the  minimum  number 
of  people  necessary  to  maintain  the  confidentiality  and  integrity  of 
the  key. 

(2)  (a)        The  research  organization  prepares  a  research  plan  that  explains  the 

purposes  of  the  research,  a  general  description  of  research  methods 
to  be  used,  and  the  potential  benefits  of  the  research. 

(b)  (i)  All  research  plans  using  protected  health  information  under 
this  Act  shall  be  available  to  the  public  and  may  be 
obtained  by  written  request  to  the  chief  executive  officer  of 
the  research  organization  or  carrier. 

(it)  If  the  research  plan  contains  information  that  is  proprietary 
or  protected  from  disclosure  by  contract  or  statute,  the 
information  may  be  deleted  from  the  copy  made  available 
to  the  public. 

(iii)  The  research  organization  shall  keep  the  research  plan  on 
file  for  five  (5)  years. 

(3)  (a)        The  carrier  and  the  research  organization  shall  execute  a  written 

agreement: 

(i)         Stating  the  purposes  of  the  research; 

(ii)  Explaining  how  the  purposes  qualify  as  scientific,  medical 
or  public  policy  research; 

(iii)  E>ocumenting  that  the  organization  is  qualified  under 
Paragraphs  (1)  and  (2)  of  this  subsection; 

(iv)  Stating  the  expected  time  during  which  the  data  will  be 
used  for  the  stated  purposes; 


142 


(v)  Explaining  the  planned  method  of  disposition  of  the 
protected  health  information  at  the  end  of  the  term  of  use; 
and 

(vi)  Stating  that  the  written  agreement  shall  be  available  to  the 
public  and  can  be  obtained  by  written  request  to  the  chief 
executive  officer  of  the  research  organization. 

(b)  The  carrier  shall  provide  a  copy  of  the  written,  executed  agreement 
upon  request  to  any  person.  If  the  executed  agreement  contains 
information  that  is  proprietary  or  protected  from  disclosure  by 
contract  or  statute,  the  information  may  be  deleted  from  the  copy 
that  is  made  available  pursuant  to  this  subsection. 

(c)  The  carrier  shall  keep  this  agreement  on  file  five  (5)  years. 

If  the  scientific,  medical  or  public  policy  research  requires  contact  with  the 
individual  who  is  the  subject  of  protected  health  information,  the  following 
protections  shall  exist  prior  to  disclosure: 

(1)  The  research  organization  and  carrier  shall  meet  the  requirements  of 
Subsection  E;  and 

(2)  (a)        The  research  organization  is  responsible  for  obtaining  a  legally 

effective  informed  consent  of  the  subject  or  the  subject's  legally 
authorized  representative.  A  research  organization  shall  seek 
consent  only  under  circumstances  that  provide  the  prospective 
subject  or  the  representative  with  sufficient  opportunity  to  consider 
whether  to  participate  in  the  research,  and  that  minimize  the 
possibility  of  coercion  or  undue  influence. 

(b)  The  information  that  is  given  to  the  subject  or  the  representative 
shall  be  in  language  understandable  to  the  subject  or  the 
representative. 

(c)  No  informed  consent,  whether  oral  or  written,  may  include  any 
exculpatory  language  through  which  the  subject  or  the 
representative  waives  or  appears  to  waive  any  of  the  subject's  legal 
rights,  or  releases  or  appears  to  release  the  investigator,  the 
sponsor,  the  research  organization  or  its  agents  from  liability  or 
negligence. 

(d)  Basic  elements  of  informed  consent.  In  seeking  informed  consent 
the  following  information  shall  be  provided  to  each  subject: 


143 


(i)  A  statement  that  the  study  involves  research,  an  explanation 
of  the  purposes  of  the  research  and  the  expected  duration  of 
the  subject's  participation,  a  description  of  the  procedures 
to  be  followed,  and  identification  of  any  procedures  that  are 
experimental; 

(ii)  A  description  of  any  reasonably  foreseeable  risks  or 
discomforts  to  the  subject; 

(iji)  A  description  of  any  benefits  to  the  subject  or  to  others  that 
may  reasonably  be  expected  from  the  research; 

(iv)  A  disclosure  of  appropriate  alternative  procedures  or 
courses  of  treatment,  if  any,  that  might  be  advantageous  to 
the  subject; 

(v)  A  statement  describing  the  extent  to  which  confidentiality 
of  records  identifying  the  subject  will  be  maintained; 

(vi)  For  research  involving  more  than  minimal  risk,  an 
explanation  as  to  whether  any  compensation  and  medical 
treatments  are  available  if  injury  occurs  and,  if  so,  what 
they  consist  of,  or  where  further  information  may  be 
obtained; 

(vii)  An  explanation  of  whom  to  contact  for  answers  to  pertinent 
questions  about  the  research  and  the  research  subject's 
rights; 

(viii)  The  name  of  a  person  to  contact  in  the  event  of  a  research- 
related  injury  to  the  subject;  and 

(ix)  A  statement  that  participation  is  voluntary,  refusal  to 
participate  will  involve  no  penalty  or  loss  of  benefits  to 
which  the  subject  is  otherwise  entitled,  and  that  the  subject 
may  discontinue  participation  at  any  time  without  penalty 
or  loss  of  benefits  to  which  the  subject  is  otherwise  entitled. 

(c)        Additional  elements  of  informed  consent.   When  appropriate,  one 
or  more  of  the  following  shall  also  be  provided  to  each  subject: 

(i)  A  statement  that  the  particular  treatment  or  procedure  may 
involve  risks  to  the  subject  (or  to  the  embryo  or  fetus,  if  the 
subject  is  or  may  become  pregnant)  that  are  currently 
unforeseeable; 


144 


(ii)  Anticipated  circumstances  under  which  the  subject's 
participation  may  be  terminated  by  the  investigator  without 
regard  to  the  subject's  consent; 

(iii)  Any  additional  costs  to  the  subject  that  may  result  from 
participation  in  the  research; 

(iv)  The  consequences  of  a  subject's  decision  to  withdraw  from 
the  research  and  procedures  for  orderly  termination  of 
participation  by  the  subject; 

(v)  A  statement  that  significant  new  findings  developed  during 
the  course  of  the  research  that  may  relate  to  the  subject's 
willingness  to  continue  participation  will  be  provided  to  the 
subject;  and 

(vi)     The  approximate  number  of  subjects  involved  in  the  study. 

(0  If  a  research  organization  submits  research  for  approval  by  an 
institutional  review  board  under  the  Federal  Policy  for  the 
Protection  of  Human  Subjects,  as  originally  published  in  56 
Federal  Register  28000  (1991)  and  as  adopted  and  implemented  by 
a  federal  department  or  agency,  compliance  with  that  process  will 
be  deemed  compliance  with  the  provisions  of  Subsections  E(2)  and 
F(2)of  this  section. 

G.  (1)  If  a  carrier  discloses  to  an  organization  conducting  scientific,  medical  or 
public  policy  research  health  information  that  is  not  protected  health 
information  because  all  identifying  information  is  encrypted,  the  carrier 
and  research  organization  shall  execute  a  written  agreement  that  provides: 

(a)  That  the  research  organization  will  not  re-release  the  data 
accompanied  by  the  encrypted  indentifying  information  to  a  third 
person.  However,  the  research  organization  may  disclose  protected 
health  information  to  its  agents,  collaborators,  or  contractors  as 
needed  to  conduct  or  assist  with  the  research,  as  long  as  all 
requirements  of  this  section  are  applied  to  the  agent,  collaborator, 
or  subcontractor; 

(b)  That  the  research  organization  shall  make  no  efforts  to  link  any 
health  information  it  received  with  encrypted  indentifying 
information  to  any  other  data  that  may  identify  the  individual  who 
is  the  subject  of  the  information;  and 


145 


(c)  That  the  research  organization  shall  make  no  efforts  to  link  any 
encrypted  protected  health  information  with  any  other  identifiable 
data. 

(2)  Prior  to  any  encrypted  information  being  decrypted  or  linked  to  identifying 
data,  the  research  organization  shall  comply  with  the  requirements  set 
forth  in  this  section  and  health  information  with  decrypted  identifying 
information  shall  be  deemed  protected  health  information. 

H.  Nothing  in  this  Act  shall  be  construed  to  prevent  the  creation,  use  or  release  of 
anonymized  data  for  which  there  is  no  reasonable  basis  to  believe  that  the 
information  could  be  used  to  identify  an  individual. 

I.  Nothing  in  this  section  shall  be  construed  as  superseding  federal  laws  and 

regulations  governing  scientific,  medical  and  public  policy  research. 

Section  13.      Unauthorized  Collection,  Use  or  Disclosure  of  Protected  Health  Information 

An  unauthorized  collection,  use  or  disclosure  of  protected  health  information  by  a  carrier  is 
prohibited  and  subject  to  the  penalties  set  forth  in  Section  15.  An  unauthorized  collection,  use  or 
disclosure  includes: 

A.  Unauthorized  publication  of  protected  health  information; 

B.  Unauthorized  collection,  use  or  disclosure  of  protected  health  information  for 
personal  or  professional  gain,  including  unauthorized  research  that  does  not  meet 
the  requirements  of  this  Act; 

C.  Unauthorized  sale  of  protected  health  information; 

D.  Unauthorized  manipulation  of  coded  or  encrypted  health  information  that  reveals 
protected  health  information;  and 

E.  Use  of  deception,  fraud,  or  threat  to  procure  authorization  to  collect,  use  or 
disclose  protected  health  information. 

Section  14.       Right  to  Limit  Disclosures 

A.  A  carrier  shall  limit  disclosure  of  information,  including  health  information,  about 
an  individual  who  is  the  subject  of  the  information  if  the  individual  clearly  states 
in  writing  that  disclosure  to  specified  individuals  of  all  or  part  of  that  information 
could  jeopardize  the  safety  of  the  individual.  Disclosure  of  information  under  this 


146 


subsection  shall  be  limited  consistent  with  the  individual's  request,  such  as  a 
request  for  the  carrier  to  not  release  any  information  to  a  spouse  to  prevent 
domestic  violence. 

B.  Except  as  otherwise  required  by  law,  a  carrier  shall  not  disclose  protected  health 
information  concerning  health  services  related  to  reproductive  health,  sexually 
transmitted  diseases,  substance  abuse  and  behavioral  health,  including  mailing 
appointment  notices,  calling  the  home  to  confirm  appointments,  or  mailing  a  bill 
or  explanation  of  benefits  to  a  policyholder  or  certificateholder,  if  the  individual 
who  is  the  subject  of  the  protected  health  information  makes  a  written  request. 
The  written  request  shall  include  information  as  to  how  any  amounts  payable  by 
the  individual  will  be  handled.  In  addition,  a  carrier  shall  not  require  the 
individual  to  obtain  the  policyholder's  or  certificateholder' s  authorization  to 
receive  health  care  services  or  to  submit  a  claim.  Except  as  provided  in 
Subsection  C,  this  section  shall  not  apply  to  minors. 

Drafting  Note:  States  are  reminded  to  ensure  consistency  with  existing  state  laws  addressing 
privacy  of  information  related  to  specific  health  services  and  to  amend  the  list  of  services  in 
Subsection  B  accordingly. 


C.  (1)  A  carrier  shall  recognize  the  right  of  any  minor  who  may  obtain  health 
care  without  the  consent  of  a  parent  or  legal  guardian  pursuant  to  state  or 
federal  law,  to  exclusively  exercise  rights  granted  under  this  Act  regarding 
health  information;  and 

(2)  A  carrier  shall  not  disclose  any  protected  health  information  related  to  any 
health  care  service  to  which  the  minor  has  lawfully  consented,  including 
mailing  appointment  notices,  calling  the  home  to  confirm  appointments,  or 
mailing  a  bill  or  explanation  of  benefits  to  a  policyholder  or 
certificateholder,  without  the  express  authorization  of  the  minor.  In 
addition,  a  carrier  shall  not  require  the  minor  to  obtain  the  policyholder's 
or  certificateholder's  authorization  to  receive  health  care  services  to 
submit  a  claim. 

Drafting  Note:  The  age  of  consent  and  the  health  care  services  to  which  a  minor  may  consent 
may  vary  depending  on  state  law.  Health  care  services  to  which  a  minor  may  consent  typically 
include  those  relating  to  reproductive  health  services,  sexually  transmitted  disease,  substance 
abuse  and  behavioral  health. 


147 


Drafting  Note:  States  should  examine  existing  state  laws  and  amend  statutes  that  conflict  with 
this  section,  such  as  laws  that  require  the  carrier  to  send  explanations  of  benefits  to  policyholders. 

D.  A  carrier  that  cannot  comply  with  the  requirements  of  this  section  relating  to  the 
suppression  of  benefit,  payment  and  similar  information  by  the  effective  date  of 
this  Act  because  of  demonstrated  financial  or  technological  burdens  may  make  a 
written  request  to  the  commissioner  for  an  extension  of  the  time  permitted  for 
compliance.  The  request  shall  propose  a  plan  and  a  timetable  for  compliance  not 
to  exceed  eighteen  (18)  months  after  the  effective  date  of  this  Act.  Carriers  that 
are  granted  an  extension  by  the  commissioner  shall  report  this  extension  and  the 
lack  of  current  compliance  with  the  provisions  of  this  section  in  the  notice  of 
health  information  policies,  standards  and  procedures  required  by  Section  6. 

Section  15.      Sanctions 

Drafting  Note:  Insert  the  title  of  the  regulatory  official  charged  with  prosecuting  violations  of 
the  law  on  behalf  of  the  insurance  department  wherever  the  term  "commissioner"  appears  in  this 
section. 

A.        Civil  Sanctions 

(1)  Whenever  the  commissioner  has  reason  to  believe  that  a  person  has 
committed  gross  negligence  in  violation  of  a  material  provision  of  this  Act 
and  that  an  action  under  this  section  is  in  the  public  interest,  the 
commissioner  may  bring  an  action  to  enjoin  violations  of  this  Act.  An 
injunction  issued  under  this  section  shall  be  issued  without  bond. 

(2)  In  addition  to  the  relief  available  pursuant  to  Paragraph  (1)  of  this 
subsection,  the  commissioner  may  request  and  the  court  may  order  any 
other  temporary  or  permanent  relief  as  may  be  in  the  public  interest, 
including  any  of  the  following,  or  any  combination  of  the  following: 

(a)  A  civil  penalty  of  not  more  than  $10,000  for  each  violation,  not  to 
exceed  $50,000  in  the  aggregate  for  multiple  violations; 

(b)  A  civil  penalty  of  not  more  than  $250,000  if  the  court  finds  that 
violations  of  this  Act  have  occurred  with  sufficient  frequency  to 
constitute  a  general  business  practice;  and 

(c)  Reasonable  attorney  fees,  investigation  and  court  costs. 


148 


Drafting  Note:  States  should  consider,  consistent  with  existing  state  laws,  whether  they  wish  to 
allow  a  private  right  of  action  to  individuals  aggrieved  by  a  violation  of  this  Act. 

B.  Criminal  Sanctions 

(1)  The  penalties  described  in  Paragraph  (2)  of  this  subsection  shall  apply  to  a 
person  that  collects,  uses  or  discloses  protected  health  information  in 
knowing  violation  of  this  Act. 

(2)  A  person  described  in  Paragraph  ( 1 )  shall: 

(a)  Be  fined  not  more  than  $50,000,  imprisoned  not  more  than  one 
year;  or  both; 

(b)  If  the  offense  is  committed  under  false  pretenses,  be  fined  not  more 
than  $250,000,  imprisoned  not  more  than  five  (5)  years,  or  any 
combination  of  these  penalties;  or 

(c)  If  the  offense  is  committed  with  the  intent  to  sell,  transfer  or  use 
protected  health  information  for  malicious  harm,  be  fined  not  more 
than  $500,000,  imprisoned  not  more  than  ten  (10)  years,  or  any 
combination  of  these  penalties. 

C.  In  any  claim  made  under  this  section  relating  to  an  unauthorized  disclosure  in 
which  a  carrier  is  being  sued  under  a  theory  of  vicarious  liability  for  the  actions  or 
omissions  of  the  carrier's  employees,  it  shall  be  an  affirmative  defense  that  the 
carrier  substantially  complied  with  the  requirements  of  Section  5  of  this  Act. 

D.  An  individual  may  not  maintain  an  action  against  a  carrier  that  disclosed  protected 
health  information  in  good  faith  reliance  on  the  individual's  authorization,  if  that 
authorization  meets  the  requirements  of  Section  10  of  this  Act  and  if  the 
disclosure  was  made  in  compliance  with  the  requirements  of  this  Act. 

E.  A  person  may  not  maintain  an  action  against  a  carrier  for  refusing  to  provide 
information  or  limiting  disclosure  of  protected  health  information  when  the 
refusal  or  limitation  is  based  upon  an  individual's  request  pursuant  to  Section  14 
of  this  Act. 


149 


Section  16.      Regulations 

The  commissioner  may,  after  notice  and  hearing,  promulgate  regulations  to  carry  out  the 
provisions  of  this  Act.  The  regulations  shall  be  subject  to  review  in  accordance  with  [insert 
statutory  citation  providing  for  administrative  rulemaking  and  review  of  regulations]. 

Section  17.      Separability 

If  any  provision  of  this  Act,  or  the  application  of  the  provision  to  any  person  or  circumstance 
shall  be  held  invalid,  the  remainder  of  the  Act,  and  the  application  of  the  provision  to  persons  or 
circumstances  other  than  those  to  which  it  is  held  invalid,  shall  not  be  affected. 

Section  18.      Effective  Date 

This  Act  shall  take  effect  on  [insert  a  date  that  allows  at  least  a  one  year  interval  between  the  date 
of  enactment  and  the  effective  date.] 


Legislative  History  (all  references  are  to  the  Proceedinss  of  the  NAIC). 


■,nd 


1998  Proc.  2"'  Quarter  (adopted). 


150 

Testimony  of  the 

American  Psychiatric  Association 

on 

H.R.  4585 

The  Medical  Financial  Privacy  Protection  Act 

before  the 

Committee  on  Banking  and  Financial  Services 

U.S.  House  of  Representatives 

Presented  by  Richard  K.  Harding,  M.D. 

June  14,  2000 


TABLE  OF  CONTENTS 

I.  Introduction  and  Background 

II.  Financial  Services  Modernization  and  Medical  Privacy 

III.  Privacy  is  an  Essential  Component  of  Effective  Medical  Treatment. 

IV.  Provisions  of  H.R.  4S8S  and  APA  Recommendations 

V.  A  Broad  Array  of  Legislation  to  Add  Urgently  needed  Privacy 

Protection  to  the  Financial  Modernization  Law 


Mr.  Chair,  I  am  Richard  Harding,  M.D.,Vice-Chairman  of  CHnical  Affairs  and  Professor 
of  Neuropsychiatry  and  Pediatrics  at  the  University  of  South  Carolina  School  of 
Medicine.  In  addition  to  treating  patients  and  my  responsibilities  at  the  School  of 
Medicine,  I  am  President-Elect  of  the  American  Psychiatric  Association  and  serve  on  the 


151 


National  Committee  on  Vital  and  Health  Statistics  -  the  panel  that  advises  the  U.S. 
Secretary  of  Health  and  Human  Services  on  medical  privacy  and  health  information 
issues. 

Thank  you  Chainnan  Leach,  Ranking  Member  LaFalce,  Mrs.  Roukema,  Mr.  Vento  and 
other  members  of  the  Committee  for  this  opportunity  to  testify.  The  views  I  am 
presenting  today  are  both  my  views  and  the  views  of  the  APA. 

We  now  face  what  a  bipartisan  national  panel  of  experts  called  a  "health  privacy  crisis". 
Some  observers  would  even  say  this  view  represents  an  understatement;  just  several 
months  ago  a  leading  computer  magazine  proclaimed  on  its  cover  "We  kriow  everything 
about  you... Privacy  is  dead;  get  used  to  it."  What's  clear  is  that  today,  we  live  with  a  21^' 
Century  cyberspace  financial  and  health  care  system,  but  we  live  with  medical  privacy 
protections  designed  for  the  bygone  black  and  white  television  era  of  Marcus  Welby, 
MD. 

Fortunately,  a  groundswell  of  public  opposition  is  developing  to  the  numerous  invasions 
of  privacy  confronting  us.  Groups  as  diverse  as  Phyllis  Schafly's  Eagle  Forum,  the 
American  Medical  Association,  major  patient  groups  and  the  ACLU  all  believe  it  is 
critically  important  to  address  the  dramatic  loss  of  medical  privacy.  However,  in  my 
opinion,  those  "inside  the  beltway"  are  only  beginning  to  realize  the  great  extent  of  the 
public's  discontent  with  the  loss  of  their  privacy. 

Your  efforts  Mr.  Chairman,  as  well  as  those  of  the  Clinton  Administration,  Mr.  LaFalce, 
and  Mr.  Markey,  to  add  needed  privacy  protections  to  the  Financial  Services 
Modernization  Act  are  very  important  first  steps  to  address  the  public's  concern.  We 
strongly  urge  you  and  your  colleagues  to  come  together  on  a  bipartisan  basis  and  pass 
legislation  to  add  critically  needed  privacy  protections  to  the  financial  modernization  law. 
Mr.  Chairman,  while  we  believe  there  are  issues  still  to  be  resolved,  we  welcome  your 
valuable  legislation  and  look  forward  to  working  with  you  to  advance  medical  privacy. 

As  we  consider  this  issue  I  hope  each  of  us  will  think  not  only  in  terms  of  public  policy 
but  also  in  terms  of  our  own  medical  records  and  our  own  family's  privacy.  Medical 
records  contain  some  of  the  most  personal  information  about  ourselves  and  our  families.  I 
can  assure  you  as  a  patient  I  want  to  make  the  choice  myself  as  to  whether  my  medical 
information  is  disclosed,  and  I  want  members  of  my  family  to  have  that  same  right.  This 
decision  should  not  be  made  for  us  by  a  financial  institution.  This  is  not  information  that 
a  life  insurance  salesman,  a  telemarketer,  or  a  bank's  mortgage  officer  should  have  at 
their  fingertips.  Disclosure  of  certain  medical  records  information  can  jeopardize  our 
careers,  our  friendships,  our  marriages  and  even  our  health. 

Financial  services  modernization  and  medical  privacy. 

How,  you  might  ask,  could  a  financial  modernization  law  affect  your  medical  privacy? 
Simply  put,  as  a  result  of  the  1999  financial  modernization  law,  insurers,  including  health 
and  life  insurers,  can  merge  easily  with  banks  and  other  financial  services  companies.  As 
a  result,  in  these  large  new  holding  companies  it  is  easy  for  a  health  insurance  company  to 
disclose  medical  records  information  to  a  corporate  affiliate  such  as  a  life  insurance 
company,  mortgage  lender  or  credit  card  issuer. 


152 


As  a  result  of  these  disclosures  customers  and  patients  can  be  harmed  in  many  ways.  Tlie 
most  obvious  example  is  that  medical  records  would  be  disclosed  to  an  affiliated  banking 
company.  The  individual  would  be  denied  credit  on  the  basis  of  his  or  her  medical 
condition.  Affiliates  and  others  could  also  use  customer  medical  information  for 
marketing  and  other  purposes.  But  there  are  additional  areas  of  concern  as  well.  For 
example,  will  individuals  face  discrimination  and  not  be  able  to  obtain  health  insurance  or 
life  insurance  they  need  to  protect  themselves  and  their  families?  And  of  course  the 
original  law  contains  virtually  no  limits  on  police  access  to  records  maintained  by 
financial  institutions. 

Privacy  is  an  essential  component  of  effective  medical  treatment. 

In  addition  to  the  importance  of  privacy  in  our  consumer  transactions,  personal 
relationships  and  professional  lives,  patient  privacy  is  needed  for  physicians  to  provide 
the  highest  quality  medical  care.  It  is  too  often  forgotten  that  doctor-patient 
confidentiality  is  an  essential  element  for  effective  medical  treatment.  Without  a  very 
high  level  of  patient  privacy,  many  patients  will  be  deterred  from  seeking  needed  health 
care  and  from  making  a  fiill  and  frank  disclosure  of  information  needed  for  their 
treatment.  After  all,  the  information  in  our  medical  records  can  include  information  on 
heart  disease  and  high  blood  pressure,  terminal  illness,  domestic  violence  and  other 
women's  health  issues,  psychiatric  treatment,  alcoholism  and  other  sensitive  issues. 
Patients'  legitimate  fears  about  medical  privacy  if  unaddressed  by  policymakers  can  also 
compromise  the  integrity  of  research  data  needed  for  scientists  to  make  breakthroughs  in 
treating  illness  and  disease.  Unfortunately,  the  more  people  who  see  our  medical  records 
in  a  financial  institution,  the  more  likely  our  records  will  be  disclosed  and  the  greater 
chance  that  patients  will  be  afraid  to  seek  treatment  and  provide  the  fullest  information 
possible  to  their  physicians. 

In  reference  to  mental  health,  privacy  is  essential  for  effective  psychiatric  care.  As  even 
the  U.S.  Supreme  Court  recognized  in  its  1996  Jaffee  v.  Redmond  decision,  mental  health 
information  is  so  sensitive  that  additional  privacy  protections  are  needed  for  psychiatric 
treatment.  The  Court  held  that  "Effective  psychotherapy  depends  upon  an  atmosphere  of 
confidence  and  trust... disclosure  of  confidential  communications  made  during  counseling 
sessions  may  cause  embarrassment  or  disgrace.  For  this  reason  the  mere  possibility  of 
disclosure...  may  impede  the  development  of  the  confidential  relationship  necessary  for 
successful  treatment."  The  1999  U.S.  Surgeon  General's  Report  on  Mental  Health 
reached  a  similar  conclusion,  i.e.  that  patient  consent  was  an  essential  component  of 
access  to  effective  psychiatric  care. 

It  is  often  extremely  difficult  for  individuals  to  bring  themselves  to  seek  mental  health 
treatment.  Even  in  cases  where  the  person  is  extremely  emotionally  distressed  the 
individual  may  still  avoid  medical  care  at  great  cost  to  themselves  and  their  families. 
Unfortunately,  today  these  individuals  also  must  overcome  their  fears  that  their  privacy 
will  be  compromised  if  they  seek  treatment.  I  do  not  believe  we  as  a  society  should  create 
any  additional  barriers  for  effective  psychiatric  treatment. 

Provisions  of  H.R.  4585  and  APA  recommendations 


153 


The  introduction  of  H.R.  4585  has  added  a  key  new  element  to  the  privacy  debate  by 
focusing  exclusively  on  the  medical  privacy  provisions  of  the  Financial  Services 
Modernization  Act.  A  similar  positive  development  has  occurred  in  the  Senate  where 
Senator  Shelby  is  attempting  to  add  a  medical  privacy  amendment  to  legislation  before 
the  Senate  Banking  Committee.  When  taken  together,  these  efforts  offer  the  hope  of 
progress  on  adding  urgently  needed  privacy  provisions  to  the  Financial  Services 
Modernization  Act. 

APA  believes  that  H.R.  4585  creates  a  valuable  framework  for  protecting  medical 
privacy,  and  we  look  forward  to  working  with  the  committee  to  insure  that  the  specific 
provisions  of  the  bill  insure  that  consumers  benefit  fiilly  from  the  legislation's 
protections.  H.R.  4585  establishes  a  key  principle  for  protecting  the  medical  records  held 
by  financial  services  companies.  The  legislation  would  create  a  general  rule  allowing 
patients  to  choose  if  their  medical  records  will  be  disclosed  to  an  affiliated  company  or  to 
a  non-affiliated  third  party.  In  these  cases  companies  would  need  the  express  written 
consent  of  the  patient  before  disclosing  medical  records.  We  strongly  support  this  patient 
consent  rule.  This  broad  rule  is  clearly  preferable  to  enumerating  specific  purposes  which 
require  patient  consent. 

I  am  equally  enthusiastic  about  the  bill's  general  rule  insuring  that  patients'  mental  health 
records  will  not  be  disclosed  without  the  patient's  separate  and  specific  consent.  As  I 
outlined  earlier  in  my  testimony,  providing  patients  with  this  additional  right  is  a  sound 
business  practice  and,  as  the  U.S.  Surgeon  General,  the  U.S.  Supreme  Court,  and  others 
have  recognized,  privacy  is  an  essential  component  of  effective  psychiatric  treatment. 

The  provisions  of  Representative  Leach's  bill  which  allow  consumers  to  decide  if  their 
information  would  be  included  in  lists  containing  health  information  -  lists  which  may  be 
used  to  discriminate  against  them-  are  also  valuable.  In  addition,  the  provisions  insure  that 
patients  would  be  able  to  decide  if  disclosures  of  information  on  their  spending  habits 
(such  as  credit  card  payment  information)  is  disclosed.  In  some  cases  this  information  can 
reveal  the  patient's  health  condition. 

However,  I  would  be  remiss  not  to  state  my  belief  that  the  wide  scope  of  the  exceptions  to 
the  legislation's  patient  consent  provisions  needs  to  be  discussed  and  reevaluated.  For 
example,  the  legislation  seems  to  recogiiize  that  strong  protections  are  needed  to  insure 
that  patients  can  elect  to  keep  their  medical  records  private  without  compromising  their 
ability  to  obtain  credit.  After  all  if  a  mortgage  lender  can  make  consumers  consent  to 
release  their  medical  records  as  a  condition  of  receiving  a  loan  little  would  be 
accomplished.  Yet,  as  currently  drafted,  do  these  provisions  insure  that  in  the  routine 
course  of  business  patient  consent  will  be  voluntary  and  non-coerced?  This  remains 
unclear.  I  would  also  like  to  point  out  that  virtually  all  exceptions  from  the  original 
Financial  Services  Modernization  Act's  privacy  provisions  are  again  included  verbatim 
by  reference  in  this  legislation  and  that  the  Secretary  is  given  new  authority  to  create 
additional  exceptions.  Given  the  uncertainty  surrounding  the  scope  of  the  bill's 
exceptions,  we  look  forward  to  working  with  members  of  the  Committee  to  ensure  that 
consumers  "in  the  real  world"  truly  enjoy  meaningfiil  new  protections.  We  look  forward 
to  resolving  these  questions  with  members  of  the  Committee. 

A  Broad  Array  of  Legislation  to  add  urgently  needed  privacy  protection  to  the 


154 


Financial  Services  Modernization  Act 

As  part  of  the  Committee's  deliberation  on  H.R.  4585,  we  believe  the  Committee  siiould 
also  review  several  other  important  bills  before  the  Committee.  Ranking  Member 
LaFalce,  working  closely  with  the  Clinton  Administration,  has  introduced  a  very  valuable 
and  far  reaching  bill  to  provide  needed  medical  and  financial  privacy  protections  to  the 
Financial  Services  law.  Likewise,  Representative  Ed  Markey  was  the  first  to  introduce, 
with  Representative  Joe  Barton,  comprehensive  legislation  to  provide  stronger  medical 
and  financial  privacy  protections  to  the  Financial  Ser\'ices  Modernization  Act.  Mr. 
Markey's  legislation  is  a  very  privacy  protective  bill,  and  Mr.  Markey  and  Mr.  Barton  as 
Co-Chairs  of  the  bipartisan  House  Privacy  Caucus  have  very  actively  campaigned  for 
urgently  needed  improvements  in  the  law. 

As  Congress  focuses  greater  attention  on  medical  records  privacy  issues  the  American 
Psychiatric  Association  looks  forward  to  building  support  for  valuable  patient  privacy 
proposals.  Last  summer  during  the  Congress'  final  deliberations  on  the  financial  services 
bill  APA  led  an  ad-hoc  coalition  of  over  40  groups,  including  key  physician,  provider, 
and  patient  groups  as  well  as  major  unions  and  conservative  family  organizations,  which 
all  advocated  for  meaningful  medical  records  privacy  provisions.  We  look  forward  to 
working  with  these  groups  again  in  order  to  build  support  for  needed  medical  privacy 
protections.  Thank  you  for  inviting  me  to  testify  and  I  look  forward  to  continuing  to  work 
with  you  and  members  of  the  Committee  on  these  issues. 


155 


Statement  of 

Steve  Bartlctt 

President 

The  Financial  Services  Roundtable 

Before  the 

Committee  on  Banking  and  Financial  Services 

U.S.  House  of  Representatives 

on 

H.R.  4585,  the  Medical  Financial  Privacy  Protection  Act 

June  14,2000 


Good  morning,  Mr.  Chairman  and  Members  of  the  Committee. 

The  Financial  Services  Roundtable  appreciates  the  opportunity  to  testify  on  H.R.  4585,  the  Medical 
Financial  Privacy  Protection  Act.  The  Financial  Services  Roundtable  is  a  national  association  of  100  of 
the  nation's  largest  integrated  financial  services  finns.  The  members  of  the  Roundtable  engage  in 
banking,  securities,  insurance,  and  other  financial  services  activities. 

H.R.  4585  addresses  an  issue  that  is  of  importance  to  all  members  of  The  Financial  Services  Roundtable 
and  all  consumers  of  financial  services  —  the  privacy  of  health  information  in  the  possession  of  a 
financial  institution.  We  support  the  purpose  of  this  legislation.  In  fact,  as  I  discuss  later  in  this 
statement,  the  Roundtable  believes  that  protecting  the  confidentiality  of  health  information  in  the 
possession  of  a  financial  institution  is  a  matter  that  merits  a  uniform,  national  policy. 

Also,  I  believe  it  is  important  to  note  at  the  outset  of  this  statement  that  the  members  of  the  Roundtable  - 
and  as  far  as  I  know  most  providers  of  financial  services  -  do  not  currently  use  health  information 
derived  from  customers  other  than  for  medical  reasons  or  as  otherwise  intended  by  customers.  In  other 
words,  this  issue  is,  at  best,  a  potential  "loophole"  in  our  privacy  laws. 

The  Roundtable  Supports  H.R.  4585 

As  integrated  financial  services  providers,  the  members  of  the  Roundtable  believe  that  the  sharing  of 
consumer  information  with  affiliates  and  third  parties  can  benefit  the  consumers  of  financial  services. 
Information  sharing  between  affiliates,  for  example,  can  permit  an  integrated  firm  to  structure  products 
and  services  that  meet  a  consumer's  specific  needs. 

At  the  same  time,  the  Roundtable's  members  recognize  that  financial  institutions  have  an  obligation  to 
maintain  the  confidentiality  of  certain  information  within  their  possession.  As  a  result,  the  Roundtable 
joined  the  rest  of  the  financial  services  industry  in  supporting  the  privacy  provisions  in  the 
Gramm-Leach-Bliley  Act.  As  the  members  of  this  Committee  know,  the  House  version  of  the 
Gramm-Leach-Bliley  Act  included  provisions  protecting  health  information.  The  Roundtable  supported 
those  provisions,  but  they  were  dropped  for  various  reasons.  I  commend  the  Chairman  for  his  efforts. 

H.R.  4585  would  expand  upon  the  privacy  provisions  in  the  Gramm-Leach-Bliley  Act  by  establishing 
new  standards  for  the  protection  of  health  information  held  by  financial  institutions.  The 
Gramm-Leach-Bliley  Act  provides  that  a  financial  institution  may  not  disclose  personal  information  to  a 
non-affiliated  third  party,  without  giving  the  consumer  an  appropriate  notice  and  opportunity  to  prevent 
such  disclosure.  H.R.  4585  would  impose  a  more  stringent  standard  for  health  information.  It  would 
prevent  a  financial  institution  fi-om  sharing  health  information  without  the  affirmative  consent  of  the 
consumer.  Furthermore,  the  bill's  limitations  on  the  sharing  of  health  information  would  apply  not  only 
to  non-affiliated  third  parties,  but  also  to  any  affiliate  of  a  financial  institution. 

The  Roundtable  supports  the  protections  for  health  information  contained  in  H.R.  4585.  The 


156 


Roundtable's  members  recognize  that  health  infonnation  can  be  more  sensitive  than  other  forms  of 
personal  information.  Roundtable  members  also  icnow  that  consumers  provide  medical  information  to 
financial  institutions  only  for  specific  purposes,  such  as  the  purchase  of  insurance,  and  the  Roundtable 
members  limit  the  use  of  such  information  accordingly. 

Financial  Institutions  Ah-eady  Protect  Health  Information 

Our  support  for  H.R.  4585  is  a  reflection  of  current  industry  practice.  Almost  every  state  has  adopted 
some  law  to  protect  the  confidentiality  of  health  information,  and,  in  most  states,  health  information 
cannot  be  disclosed  without  the  affirmative  consent  of  an  individual. 

Additionally,  the  financial  services  industry  has  voluntarily  agreed  to  safeguard  health  information 
within  its  possession.  Just  last  month,  for  example,  the  Roundtable  joined  the  nation's  major  banking 
trade  associations  in  the  release  of  voluntary  guidelines  for  the  banking  industry  which  call  for  a  banking 
institution  to  obtain  the  affirmative  consent  of  a  customer  before  sharing  health  information.  It  is  my 
understanding  that  the  major  national  insurance  trade  groups  have  adopted  similar  policies  for  insurance 
companies. 

The  U.S.  Department  of  Health  and  Human  Services  (HHS)  also  is  in  the  midst  of  finalizing  regulations 
that  relate  to  the  privacy  of  health  information. 

As  the  Committee  continues  its  deliberations  of  H.R.  4585,  we  would  urge  it  to  review  and  take  into 
account  this  fi'amework  of  existing  law  and  industry  guidelines. 

Certain  Provisions  in  H.R.  4585  Need  to  be  Revised 

Our  support  for  H.R.  4585  is  not  unqualified.  While  we  believe  that  the  sharing  of  health  information 
should  be  subject  to  a  policy  of  affirmative  consent,  we  also  believe  that  the  bill  should  be  revised  in 
several  respects.  The  following  are  some  of  our  concerns. 

Exceptions  to  the  Affirmative  Consent  Requirement 

Under  H.R.  4585,  most  of  the  exceptions  to  the  sharing  of  personal  information  that  are  contained  in  the 
Gramm-Leach-Bliley  Act  would  apply  to  the  sharing  of  health  information.  For  example,  the  bill  would 
permit  a  financial  institution  to  share  health  information  with  another  party  to  protect  against  or  prevent 
actual  or  potential  fraud  or  claims.  However,  the  bill  does  not  extend  two  of  the  exceptions  in  the 
Gramm-Leach-Bliley  Act  to  health  information,  and  these  two  exceptions  should  apply  to  the  sharing  of 
health  information. 

First,  the  bill  would  not  allow  an  insurance  firm  to  share  infonnation  with  an  insurance  rate  advisory 
organization  or  a  state  insurance  guaranty  fund  without  affirmative  consent.  Insurance  companies  share 
health  information  with  rate  advisory  organizations  to  establish  rates  for  particular  lines  of  insurance. 
Similarly,  when  an  insurer  is  declared  insolvent,  health  information  in  its  possession  must  be  shared  with 
a  state  guaranty  fund.  If  such  information  cannot  be  shared  freely  with  rating  organizations  or  guaranty 
funds,  the  establishment  of  rates  and  resolution  of  insolvencies  may  be  seriously  impaired.  We  urge  the 
Committee  to  include  the  Gramm-Leach-Bliley  exception  for  information  sharing  with  rate  advisory 
organizations  and  state  guaranty  funds. 

The  absence  of  this  exception  is  a  serious  flaw  in  the  current  draft;  one  which  I  hope  is  inadvertent. 
Without  this  exception,  tfie  basis  for  pricing  insurance  products  and  resolving  insolvencies  of  insurance 
firms  could  be  seriously  harmed.  I  do  not  believe  that  is  the  intent  of  Congress  or  the  will  of  the 
American  people. 

Second,  the  Gramm-Leach-Bliley  Act  includes  an  exception  for  the  sharing  of  information  with  service 
providers  and  joint  marketers  as  long  as  such  parties  maintain  the  confidentiality  of  the  information.  We 
believe  a  similar  exception  should  be  included  in  H.R.  4585.  Without  such  an  exception,  it  would  be 
difficult  for  many  insurance  firms  to  use  independent  agents,  banks,  broker/dealers  or  others  to  service 


157 


or  market  products,  and  this  could  have  a  negative  impact  on  the  consumers  of  insurance  products. 

Additionally,  the  Committee  should  consider  exceptions  for  other  current  industry  practices.  For 
example,  the  operation  of  worker's  compensation  programs  and  medical  research  programs  depends 
heavily  on  the  sharing  of  information  between  insurance  companies  and  third  parties.  The  effectiveness 
of  these  programs  could  be  impaired  by  the  application  of  the  affirmative  consent  requirement. 

Consumer  Rights  to  Access  and  Corrections 

H.R.  4585  would  provide  consumers  with  a  right  to  review  health  information  in  the  possession  of  a 
financial  institution  and  a  right  to  dispute  the  accuracy  of  such  information.  While  we  endorse  the  intent 
of  these  provisions,  we  believe  that  they  deserve  further  consideration  by  the  Committee. 

First,  the  Committee  should  recognize  that  there  are  instances  in  which  it  is  not  appropriate  for  a 
financial  institution  to  share  unconditionally  health  information  with  a  consumer.  Consider,  for  example, 
a  situation  in  which  a  life  insurance  company  leanis  through  a  required  blood  test  that  an  applicant  for 
life  insurance  is  HIV  positive.  Because  of  the  sensitive  nature  of  this  information,  most  insurance 
companies  cuirently  will  not  convey  the  results  of  such  a  test  directly  to  the  applicant,  but  will  notify  the 
applicant's  doctor  and  rely  on  the  applicant's  doctor  or  a  trained  counselor  to  convey  that  information. 
Some  states  have  addressed  this  and  similar  situations  by  limiting  an  individual's  access  to  health 
information  that  could  endanger  the  life  or  safety  of  the  individual. 

Second,  the  Committee  should  clarify  that  a  financial  institution  has  an  obligation  to  "amend,  correct,  or 
delete"  health  information  that  is  incomplete  or  inaccurate  only  if  the  financial  institution  created  such 
information.  As  drafted,  H.R.  4585  implies  that  a  financial  institution  has  some  obligation  to  amend, 
correct,  or  delete  any  incomplete  or  inaccurate  information,  regardless  of  who  created  the  information. 

Third,  H.R.  4585  would  provide  that  a  consumer  does  not  have  a  right  to  obtain  information  assembled 
by  a  financial  institution  as  part  of  its  efforts  to  "comply"  with  laws  preventing  fi-aud.  We  recommend 
that  this  exception  also  include  information  assembled  to  "identify  or  investigate"  possible  fraud,  as  well 
as  information  assembled  in  the  context  of  a  dispute  with  the  consumer. 

Finally,  the  Committee  should  consider  what  procedures  apply  to  these  provisions.  For  example,  does 
the  consumer's  right  apply  to  all  information,  no  matter  when  created?  How  quickly  must  a  financial 
institution  respond  to  a  request  for  information?  If  there  is  a  dispute  over  the  accuracy  of  the 
information,  how  is  that  dispute  to  be  adjudicated? 

Spending  Habits  and  Aggregate  Lists 

The  affirmative  consent  requirement  in  H.R.  4585  would  apply  to  the  compilation  of  lists  and 
descriptions  of  consumer  spending  habits  if  such  lists  and  descriptions  are  derived  from  health 
information.  Also,  the  affirmative  consent  requirement  would  apply  to  the  compilation  of  aggregate  lists 
of  consumers  that  contain  or  are  derived  from  health  information.  Presumably,  these  provisions  are 
intended  to  limit  the  use  of  health  information  for  marketing  purposes.  However,  as  drafted,  the 
provisions  would  limit  the  sharing  of  experience  information  between  an  insurance  company  and  third 
parties,  including  affiliates  that  use  such  information  to  develop  generic  claims  profiles  and  insurance 
rates.  Also,  care  needs  to  be  taken  to  ensure  that  these  provisions  do  not  affect  aggregated  lists  of  credit 
card  charges  and  checking  account  activities  currently  provided  to  consumers.  To  avoid  such  problems, 
we  recommend  that  these  provisions  be  limited  to  "marketing"  activities. 

Treatment  of  Mental  Health  Information 

H.R.  4585  would  require  a  financial  institution  to  obtain  a  separate  consent  from  a  consumer  before 
sharing  any  information  related  to  the  mental  health  or  mental  condition  of  the  consumer.  This  means 
that  in  certain  cases  a  financial  institution  would  be  required  to  obtain  two,  separate  consents  from  a 
consumer  —  one  governing  the  consumer's  "individually  identifiable  health  information,"  and  a  second 
specifically  related  to  the  consumer's  "mental  health  or  mental  condition."  We  do  not  see  the  need  for 


65-149    2001  -  6 


158 


this  double  consent  requirement.  The  bill's  definition  of  "individually  identifiable  health  information" 
expressly  includes  any  information  related  to  the  "physical  or  mental  health  or  condition"  of  an 
consumer.  One  consent  should  be  sufficient. 

Additionally,  the  bill  does  not  define  what  constitutes  "mental  health"  or  "mental  condition."  If  any 
provisions  specifically  relating  to  these  terms  are  included  in  the  bill,  we  urge  the  Committee  to  define 
them. 

Definition  of  "Individually  Identifiable  Health  Information" 

We  are  concerned  about  the  relationship  between  the  protections  for  health  information  in  H.R.  4585  and 
the  protections  for  personal  information  that  already  are  part  of  the  Gramm-Leach-Bliley  Act.  The 
existing  privacy  provisions  in  the  Gramm-Leach-Blilcy  Act  do  not  prohibit  the  sharing  of  demographic 
information  about  a  consumer,  such  as  an  individual's  address,  telephone  number  or  zip  code,  if  that 
information  is  publicly  available.  On  the  other  hand,  H.R.  4585  would  prohibit  the  sharing  of 
demographic  infomiation  created  by  an  employer  or  health  care  entity  that  relates  to  an  individual's 
health  and  that  identifies  the  individual.  In  order  to  avoid  any  confusion  with  the  Gramm-Leach-Bliley 
Act,  we  believe  the  Committee  should  clarify  that  publicly  available  demographic  information  that  does 
not  include  health  information  is  not  subject  to  the  affirmative  consent  requirement  imposed  by  the  bill. 

The  Need  for  a  National  Standard 

As  I  noted  at  the  outset  of  this  statement,  the  Roundtable  believes  that  the  confidentiality  of  health 
information  is  a  matter  that  merits  a  national  policy  approach.  In  other  words,  it  is  a  concern  to  all 
consumers  and  all  financial  institutions  that  possess  health  information.  As  a  result,  the  Roundtable 
believes  that  maintaining  the  confidentiality  of  health  information  demands  a  uniform,  national  policy. 

All  consumers,  regardless  of  where  they  reside  or  receive  health  care,  should  be  able  to  expect  the  same 
level  of  protection  for  their  health  information.  Similarly,  all  financial  institutions  that  possess  health 
information  should  be  able  to  comply  with  one  national  set  of  confidentiality  requirements. 

Absent  a  single,  national  standard  governing  the  confidentiality  of  health  information  held  by  financial 
institutions,  the  customers  of  those  institutions  and  the  institutions  themselves  will  face  a  patchwork  of 
requirements  imposed  by  state  and  federal  legislators  and  regulators.  As  I  have  previously  noted,  most 
states  already  have  adopted  laws  governing  the  confidentiality  of  health  information,  and  HHS  is  in  the 
process  of  finalizing  a  regulation  on  this  issue.  These  requirements,  however,  are  far  from  uniform  or 
comprehensive. 

The  Committee  faces  an  important  choice.  It  can  either  layer  the  requirements  of  H.R.  4585  on  this 
existing  patchwork  of  laws  and  regulations  and  thereby  add  to  the  confusion  of  consumers  and  the 
compliance  burden  of  financial  institutions,  or  it  can  establish  a  single  national  standard  governing  the 
confidentiality  of  health  information  maintained  by  financial  institutions.  The  Roundtable  would 
recommend  that  the  Committee  impose  a  national  standard.  Thank  you  for  the  opportunity  to  share  our 
views  on  this  important  and  timely  topic. 


159 


N  A I  FA  PROFESSIONAL 

INSURANCE 
AGENTS 


DONALD  C.  BRAIN,  JR.,  CPA,  AAI 

PRESIDENT 

LOCKTON  BENEFIT  GROUP 

ON  BEHALF  OF  THE 

INDEPENDENT  INSURANCE  AGENTS  OF  AMERICA 

NATIONAL  ASSOCIATION  OF  INSURANCE  AND  FINANCIAL  ADVISORS 

NATIONAL  ASSOCIATION  OF  PROFESSIONAL  INSURANCE  AGENTS 

BEFORE  THE  HOUSE  COMMITTEE  ON  BANKING 
AND  FINANCIAL  SERVICES 


JUNE  14,  2000 


160 


Mr.  Chairman,  and  members  of  the  Committee,  my  name  is  Don  Brain.   I  am  the 
President  of  the  Lockton  Benefit  Group,  the  11""  largest  benefits  consulting  firm  in  the 
nation.  The  3,000-employee  Lockton  Benefit  Group  sells  and  administrates  a  full  range 
of  employee  benefit  plans.  I  appear  today  on  behalf  of  the  insurance  agents  and 
brokers  of  America,  and  their  employees  -  nearly  1 ,000,000  men  and  women  who  work 
in  every  part  of  the  United  States.  These  professionals  are  represented  by  the 
Independent  Insurance  Agents  of  America,  Inc.  (IIAA),  the  National  Association  of 
Insurance  and  Financial  Advisors  (NAIFA,  formerly  known  as  NALU)  and  the  National 
Association  of  Professional  Insurance  Agents  (PIA),  on  whose  behalf  I  testify  today. 

I  currently  serve  as  a  member  of  IIAA's  Government  Affairs  Committee  and  I  am  the 
Health  Care  Liason  to  that  committee.  In  addition,  many  of  the  Lockton  Benefit  Group's 
agent  and  broker-employees  are  members  of  NAIFA  and  the  Association  of  Health 
Insurance  Advisors,  NAIFA's  conference  devoted  exclusively  to  health  insurance  and 
benefits-related  issues.   IIAA,  NAIFA  and  PIA  members  include  health  insurance 
specialists  located  across  the  country,  and  IIAA,  NAIFA  and  PIA  represents  their 
members'  interests  on  a  wide-range  of  insurance  matters,  including  health  and 
employee  benefits  issues. 

INTRODUCTION 

IIAA,  NAIFA  and  PIA  are  appearing  before  you  today  to  comment  on  the  bill  that  you 
just  recently  introduced  -  H.R.  4585,  the  "Medical  Financial  Privacy  Act. "  First,  Mr. 
Chairman,  let  me  thank  you  for  holding  this  hearing  today  and  providing  us  with  a 
chance  to  submit  our  views  on  this  very  important  piece  of  legislation.  There  is  perhaps 
no  more  important  topic  in  politics  today  than  ensuring  that  the  private  information  of 
individuals  remains  just  that  -  private.  And  there  is  no  more  important  type  of 
information  that  should  remain  private  than  each  and  every  person's  medical 
information. 

At  the  outset,  I  must  therefore  commend  you,  Mr.  Chairman,  for  following  up  your  work 
on  the  Gramm-Leach-Bliley  Act  with  legislation  designed  to  strengthen  that  Act's 
consumer  privacy  protections  in  the  health  information  context.  I  also  must  commend 
you,  Mr.  Chairman,  for  being  sensitive  to  our  views  and  for  agreeing  to  work  with  us  to 
ensure  that  the  protections  that  you  are  crafting  protect  consumers'  privacy  while  at  the 
same  time  protecting  their  access  to  employer-sponsored  group  health  care  plans. 

The  primary  message  that  I  have  been  asked  to  relate  to  you  today,  Mr.  Chairman,  is 
that  the  insurance  agents  want  you  to  know  that  they  intend  to  do  everything  within  their 
power  to  help  you  mold  a  bill  that  can  take  flight  and  become  the  law  of  the  land. 

The  insurance  agents  fully  support  the  overarching  objective  of  protecting  individuals' 
sensitive  health  information  and  your  approach  to  achieving  that  objective.  At  the  same 
time,  insurance  agents  need  to  share  information  that  they  receive  in  the  normal  course 
of  business  with  insurers  and  health  care  providers  in  order  to  provide  both  the  high 
level  of  service  and  the  health  care  benefits  that  all  of  us  want  and  need.  Insurance 


161 


agents  use  the  information  for  one  purpose  and  one  purpose  alone:  to  help  provide  the 
highest  level  of  health  care  benefits  and  service  w/ithin  the  budgetary  constraints  of  each 
of  their  clients.  Indeed,  because  the  vast  majority  of  small  businesses  in  the  United 
States  cannot  afford  a  separate  health  benefits  administrator  or  human  resources 
department,  the  agent  often  fills  those  roles  for  such  small  businesses. 

From  our  perspective,  the  only  clarification  that  is  necessary  to  ensure  that  the  on-going 
administration  of  employer-sponsored  health  benefit  plans  and  workers  compensation 
programs  is  not  disrupted  in  any  way  is  to  specifically  provide  that  information  obtained 
in  conjunction  with  the  administration  of  a  plan  can  be  used  for  any  purpose  related  to 
the  administration  or  replacement  of  that  plan. 

This  testimony  is  divided  into  two  parts.  The  role  of  the  insurance  agent  and  the 
manner  in  which  employer-sponsored  group  health  insurance  plans  and  workers 
compensation  programs  are  administrated  is  outlined  in  the  first  part.  The  second  part 
then  highlights  the  need  for  our  suggested  clarification. 

1.         The  Role  and  Value  of  the  Agent/Broker 

Historically,  the  agent  system  has  been  the  principal  method  of  distribution  for  private 
life  and  health  insurance.  Agents  are  the  essential  link  between  the  consumer  and  the 
insurance  company,  providing  and  servicing  the  products  of  the  insurer  while  educating 
the  consumer  on  how  to  manage  risks  and  how  to  make  informed  choices  regarding 
their  insurance  purchases. 

Dramatic  increases  in  health  care  costs  in  the  last  decade  have  made  the  agent  an 
increasingly  important  part  of  the  health  care  equation.  More  than  ever,  both  employers 
and  individuals  rely  on  the  advice  of  their  agents  regarding  cost  savings  measures  and 
coverage  options.   Indeed,  in  the  health  insurance  context,  the  agent  almost  always 
represents  the  interests  of  the  insured  or  of  the  employer-sponsor  of  the  health  care 
plan.  In  this  sense,  the  agents  are  acting  as  "brokers"  and  they  are  not  considered  to 
be  agents  of  the  underwriters. 

Health  insurance  agents/brokers  play  a  number  of  invaluable  roles: 

♦  They  work  with  clients  to  evaluate  their  need  for  health  insurance  protection. 
This  may  involve  substantial  research  and  fact  finding  about  the  client's  needs.  It 
also  may  involve  sharing  health  information  about  an  employer's  employees  with 
a  number  of  different  insurers  to  fully  evaluate  the  potential  health  benefit  plan 
options  and  the  costs  of  each  of  those  options. 

♦  They  educate  by  explaining  the  various  health  plans  available  and  provide 
appropriate  cost  indexes. 


♦ 


They  make  specific  recommendations  that  suit  the  client's  objectives  and  budget. 
Often  a  health  insurance  plan  is  designed  by  the  agent  to  fit  a  client's  special 
needs. 


♦ 


162 


They  encourage  the  client  to  act  in  a  tinneiy  fashion  to  assure  that  the  proper 
coverages  are  in  place  when  they  are  needed.  They  also  see  to  it  that  accurate 
and  complete  information  is  provided  to  the  insurer  to  make  sure  that  the  client 
gets  the  very  lowest  premium  available. 

♦  They  keep  in  touch  with  the  client  and  review  or  update  coverage  on  a  periodic 
basis.  They  suggest  changes  when  appropriate  and  counsel  clients  on  ways  to 
reduce  cost.  Often  they  must  assist  their  client  in  reviewing  the  need  for  legal 
and  tax  compliance,  recommending  other  professional  assistance  when 
necessary. 

♦  They  assist  with  claims,  answer  questions  and  serve  as  ombudsmen  in  helping 
their  clients  and  their  clients'  employee-insureds  deal  with  insurance  companies. 
Agents  often  spend  a  great  deal  of  time  helping  to  assemble  the  proper 
documentation  needed  to  file  or  follow  up  on  a  claim. 

♦  They  assist  business  owners  in  communicating  their  benefit  packages  to  their 
employees,  often  assisting  the  employee  in  seeing  how  the  benefits  coordinate 
with  their  personal  financial  programs  as  well  as  those  provided  by  government 
entities. 

2.         The  H.R.  4585  Proposal  -  Protecting  The 

Viability  Of  Employer-Sponsored  Health  Benefits 

As  noted  at  the  outset,  IIAA,  NAIFA  and  PIA  share  the  overarching  objective  of 
ensuring  that  the  confidentiality  of  individually  identifiable  health  information  is 
protected.  Indeed,  IIAA,  NAIFA  and  PIA  have  fully  supported  efforts  in  the  States  to 
enact  privacy  provisions  that  apply  to  both  insurers  and  agents.  Although  H.R.  4585 
would  help  to  ensure  that  these  confidentiality  objectives  are  met,  it  must  be  clarified 
to  make  clear  that  its  restrictions  are  not  intended  to  interfere  with  the  provision  of 
employer-sponsored  group  health  plans  or  workers  compensation  programs  in  any 
way. 

A  failure  to  make  such  a  clarification  could  have  serious  negative  ramifications  for 
our  current  health  benefits  system.  This  is  because  tens  of  millions  Americans 
currently  are  insured  through  employer-sponsored  health  benefits  plans  and  are 
protected  by  state-mandated  employer-purchased  workers  compensation  programs. 
In  order  to  evaluate  alternative  and  replacement  benefits  plans,  agents  must  be  able 
to  use  and  share  personally  identifiable  health.  Indeed,  insurers  cannot  and  will  not 
price  a  group  plan  without  specific  information  on  the  claims  history  of  members  of 
that  plan.  If  a  single  employee  directs  that  their  information  not  be  shared  for  that 
purpose,  the  entire  group  plan  would  be  frozen  in  place. 

Without  the  clarification  we  have  requested,  the  legislation  would  thus  undoubtedly 
serve  both  to  increase  the  costs  of  providing  health  care  benefits  and  to  reduce  the 
number  of  benefit  options  that  many  employers  will  be  able  to  consider.  This  would 
greatly  undermine  the  level  of  care  that  many  Americans  will  be  able  to  receive  and 
it  would  likely  lead  to  a  tremendous  expansion  in  the  number  of  un-  or  under-insured 
Americans. 

CONCLUSION 

In  closing,  I  would  just  like  to  thank  you  once  again  for  offering  us  this  opportunity  to 
testify.   IIAA,  NAIFA  and  PIA  look  forward  to  working  closely  with  you  to  in  your  efforts 
to  pass  H.R.  4585  into  law  this  term.  I  would  be  happy  to  answer  any  questions. 


163 


STATEMENT 

OJ     THE 

AMERICAN 
INSURANCE 
ASSOCIATION 


Hearing  on  H.R.  4585,  the  Medical  Financial  Privacy  Protection  Act 


Submitted  To  The 

Committee  on  Banking  and  Financial  Services 

United  States  House  of  Representatives 

June  14,  2000 

American  Insurance  Association 

1130  Connecticut  Avenue,  NW 

Suite  1000 

Washington,  DC  20036 

(202)  828-7100 


A 


American 
Insurance 
Association 


The  American  Insurance  Association  is  a  national 
trade  organization  of  property  and  casualty  insurers. 


164 


Testimony  of  the  American  Insurance  Association 
before  the  Committee  on  Banking  and  Financial  Services, 

U.S.  House  of  Representatives 
on  H.R.  4585,  the  Medical  Financial  Privacy  Protection  Act 


Mr.  Chairman  and  Members  of  the  Committee: 

My  name  is  Robert  H.  Rheel,  senior  vice  president  at  the  Fireman's  Fund 
Insurance  Company.  I  am  pleased  to  appear  before  you  today  on  behalf  of  the 
American  Insurance  Association  to  discuss  H.R.  4585,  the  Medical  Financial  Privacy 
Protection  Act,  and  we  appreciate  the  oppormnity  to  present  our  views. 

The  AIA  is  the  principal  trade  association  for  property  and  casualty  insurance 
companies,  representing  more  than  370  major  insurance  companies  which  provide  all 
lines  of  property  and  casualty  insurance  and  write  more  than  $60  billion  in  annual 
premiums.  Fireman's  Fund,  established  in  1863  in  San  Francisco,  California,  is 
among  the  nation's  top  writers  of  property  casualty  insurance  and  employs  over  8,000 
people. 

INTRODUCTION 

The  issue  of  maintaining  the  privacy  of  medical  information  is  a  vitally 
important  issue  for  consumers  and  for  our  member  companies.  As  we  have  stated  on 
several  occasions  before  this  Committee  and  elsewhere,  information  is  the  lifeblood 
of  the  insurance  industry.  Without  access  to  customer  information,  we  could  not  offer 
and  provide  insurance  products  to  consumers.  We  could  not  process  claims,  and  we 
could  not  protect  against  fraudulent  activities.  At  the  same  time,  we  recognize  how 
concerned  policyholders  are  that  we  preserve  the  confidentiality  of  the  sensiti'  2 
medical  and  financial  information  we  maintain. 

Insurance  companies  have  long  had  experience  with  maintaining  and 
protecting  financial  and  medical  information  we  collect  and  possess  about  our 
policyholders.  Many  states  have  already  enacted  laws  that  provide  protection  for 
medical  and  financial  information  maintained  by  insurance  companies.  These  laws 
provide  a  well-balanced  approach  to  consumer  privacy,  and  provides  significant 
protection  at  the  state  level  for  consumers'  medical  and  financial  information  while 
not  unduly  interfering  with  the  necessary  disclosure  of  information  needed  to 
underwrite  insurance  and  process  transactions  and  claims. 

The  recently  enacted,  and  soon  to  be  effective,  privacy  provisions  of  the 
Gramm-Leach-Bliley  Act  and  rules  recently  adopted  by  the  federal  financial 
institution  regulatory  agencies  already  provide  coverage  for  medical  information 
maintained  by  financial  institutions.  We  understand  that  the  state  insurance 


165 


commissioners  are  considering  rules  to  implement  Title  V.  In  view  of  the  importance 
access  to  medical  information  plays  in  the  insurance  industry,  we  have  urged  the 
conmiissioners  at  this  time  to  defer  action  on  the  issue  of  medical  information. 

In  view  of  all  of  these  evolving  events,  we  do  not  believe  it  is  appropriate  nor 
necessary  for  Congress  to  adopt  legislation  at  this  time.  Insurers  and  other  financial 
institutions  are  in  the  process  of  implementing  the  Gramm-Leach-Bliley  Act  and  the 
rules  adopted  by  the  agencies  and  the  state  insurance  regulators.  At  this  time,  we  do 
not  believe  the  benefits  which  the  bill  purports  to  provide  outweigh  the  considerable 
burdens  it  would  clearly  impose.  We  are  unaware  of  any  instance  of  abuses  in  the 
property/casualty  insurance  industry  .  Further,  there  are  some  serious  drafting 
oversights  which  we  believe  need  be  addressed.  Finally,  adoption  of  the  legislation  at 
this  time  would  prove  particularly  disruptive,  and  we  believe  it  to  be  inappropriate  at 
this  time. 

THE  EXPERIENCE  OF  THE  INSURANCE  INDUSTRY  WITH 
PROTECTING  MEDICAL  INFORMATION  IS  EXCELLENT 

The  insurance  industry  has  long  recognized  that  information  concerning 
customers  must  be  protected  and  not  disclosed  to  third  parties  except  as  necessary  to 
facilitate  transactions  with  customers.  Insurance  companies  employ  strict  procedures 
to  ensure  that  customer  information  is  used  only  to  carry  out  our  responsibilities 
under  the  policies  we  have  entered  into  with  our  customers. 

Insurance  companies  have  a  legitimate  need  for  information  about 
policyholders  and  claimants.  In  the  context  of  processing  claims,  a  company  finds  it 
necessary  to  obtain  information  regarding  a  claimant  in  order  to  decide  whether  or  not 
to  pay  a  claim.  It  may  be  necessary  to  request  claimants  to  provide  medical 
information  as  part  of  the  claims  processing  process.  Such  information  is  carefully 
guarded  by  insurance  companies,  and  is  released  to  third  parties  only  as  necessary  to 
facilitate  the  processing  of  the  claim. 

As  the  Committee  is  aware,  last  November  Congress  enacted  comprehensive 
legislation  that  ensures  the  confidentiality  of  consumers'  personal  information 
maintained  by  financial  institutions,  including  insurance  companies.  The  legislation 
requires  all  financial  institutions  to  provide  their  privacy  policies  to  customers  at  the 
time  the  customer  relationship  is  established  and  each  year.  Financial  institutions  are 
not  permitted  to  share  personal  information  about  a  consumer  with  a  nonaffiliated 
third  party  unless  the  consumer  has  been  notified  about  the  possibility  of  such 
disclosures  and  has  not  informed  the  financial  institution  to  keep  the  information 
confidential.  The  rules  adopted  by  the  federal  agencies  provide  that  medical 
information  maintained  by  financial  institutions  is  covered  by  the  privacy  protections 
of  Title  V  of  the  Gramm-Leach-Bliley  Act.  The  rules  also  provide  that  the  Act  goes 
into  effect  beginning  this  November,  and  that  financial  institutions  are  required  to 
comply  with  all  aspects  of  the  rules  and  legislation  by  July  V  of  next  year. 


166 


The  nation's  federally  regulated  financial  institutions  are  just  beginning  to 
implement  the  rules  the  agencies  adopted  last  month.  In  view  of  the  uniqueness  of 
insurance  companies.  Title  V  provided  that  the  state  insurance  commissioners  should 
enforce  the  privacy  provisions  appUcable  to  insurance  companies.  The 
conunissioners,  under  the  auspices  of  the  National  Association  of  Insurance 
Commissioners,  are  now  in  the  process  of  evaluating  these  rules  and  proposing 
privacy  rules  that  would  apply  to  insurance  companies.  It  will  undoubtedly  be 
another  few  months  before  these  rules  are  adopted.  In  this  regard,  the  commissioners 
recently  adopted  a  resolution  indicating  that  they  intend  to  promulgate  rules  that 
provide  a  uniform  compliance  date  of  July  1,  2000,  which  is  the  same  date  adopted  by 
the  federal  regulators. 

In  addition,  the  federal  agencies  and  state  insurance  conunissioners  are 
required  to  develop  standards  for  fmancial  institutions  relating  to  administrative, 
technical  and  physical  safeguards  to  insure  the  security  and  confidentiality  of 
customer  records  and  information.  We  believe  the  insurance  industry  already  has  in 
place  effective  procedures  for  protecting  the  confidentiality  and  security  of  our 
policyholders'  personal  information,  and  we  are  confident  that  we  will  meet  the 
standards  the  agencies  adopt. 

It  is  important  to  recognize  that  the  implementation  of  Title  V  is  enormously 
complex.  It  involves  more  than  just  mailing  privacy  statements  to  customers. 
Financial  institutions  must  determine  the  categories  of  information  they  collect  and 
disclose  and  the  categories  of  third  parties  to  whom  they  disclose  information. 
Information  systems  must  be  modified  to  maintain  the  names  and  other  identifying 
information  of  customers  who  do  not  want  their  information  shared  with  unaffiliated 
third  parties.  These  systems  must  be  integrated  with  existing  systems  to  ensure  that 
the  customer's  instructions  are  followed.  Financial  institutions  have  advised  that  it 
will  take  at  least  six  months  to  develop,  implement  and  test  the  system  changes  that 
they  have  begun  to  develop.  To  impose  the  additional  requirements  that  are  called  for 
in  H.R.  4585  would  result  in  considerable,  unwarranted  burdens  on  financial 
instimtions  that  are  dedicating  significant  resources  to  implementing  Title  V. 

THE  REQUIREMENTS  OF  H.R.  4585  ARE  NOT  NEEDED  AT  THIS  TIME 

Opt  In  Requirements  are  Inappropriate 

The  proposed  legislation  requires  fmancial  institutions  to  obtain  the  consent  of 
consumers  before  disclosing  any  individually  identifiable  health  information.  As  a 
practical  matter,  insurance  companies  obtain  the  consent  of  prospective  policyholders 
to  obtain  and  release  health  information  in  connection  with  processing  insurance 
applications.  Nevertheless,  we  do  not  believe  that  the  requirement  for  obtaining  the 
consumer's  consent  fits  well  with  the  requirement  of  Title  V  that  the  consumer  be 
given  an  opportunity  to  opt  out  from  proposed  disclosures  to  third  parties. 


167 


The  opt  in  requirement  will  be  unnecessarily  confusing  for  financial 
institutions  and  consumers.  The  AIA  believes  that  the  current  opt  out  provisions  of 
Title  V,  taken  in  conjunction  with  those  of  the  Fair  Credit  Reporting  Act,  provide 
considerable  protections  for  consumers  to  assure  that  the  confidentiality  of  their 
health  information  will  be  maintained.  Consumers  who  are  concerned  with  the 
disclosure  of  such  information  will  be  given  numerous  opportunities  to  instruct  the 
fmancial  institutions  they  do  business  with  not  to  disclose  nonpublic  personal 
information,  including  health  information,  with  third  parties.  The  agencies'  rules 
provide  that  notices  must  be  clear  and  conspicuous,  and  must  give  the  consumer  a 
reasonable  means  of  opting  out.  Recognizing,  however,  that  there  is  a  higher  level  of 
concern  with  the  sharing  of  medical  information,  we  are  willing  to  consider  a 
narrowly  drafted  requirement  relating  to  the  sharing  of  medical  information  for 
marketing  purposes.  We  are  in  the  process  of  discussing  such  an  approach  with  the 
National  Association  of  Insurance  Commissioners.  Such  a  provision  cannot  impinge 
upon  an  insurer's  ability  to  conduct  its  core  insurance  functions.  In  addition,  new 
requirements  should  not  be  imposed  until  insurers  and  other  fmancial  institutions 
have  had  the  opportunity  to  make  the  systems  changes  needed  to  comply  with  the 
original  provisions  of  Title  V. 

Affiliates  Should  Not  be  Subject  to  the  Requirements 

The  Granmi-Leach-Bliley  Act  provides  that  financial  institutions  must  disclose 
to  consumers  their  policies  regarding  the  sharing  of  information  with  affiliated  and 
unaffiliated  third  parties.  However,  the  opt  out  requirements  of  Title  V  apply  only  to 
the  sharing  of  information  with  unaffiliated  third  parties.  The  Gramm-Leach-Bliley 
Act  does  not  cover  sharing  information  with  affiliates  for  several  reasons.  First,  in 
many  instances  an  affiliate  is  nothing  more  than  a  department  of  the  company. 
Financial  institutions  may  establish  separate  subsidiaries  for  reasons  related  to 
licensing,  tax  and  organizational  objectives.  For  example,  in  view  of  the  state- 
oriented  regulatory  structure  applicable  to  the  insurance  industry,  it  is  commonplace 
for  companies  to  establish  subsidiaries  in  different  states.  Information  relating  to 
policyholders,  however,  is  often  made  available  among  affiliates  in  order  to  better 
serve  customers.  As  a  result,  the  sharing  of  information  among  affiliates  is 
tantamount  to  the  company  using  the  information  itself  for  its  own  business-related 
purposes.  No  purpose  is  served  by  imposing  additional  hurdles  to  the  sharing  of  such 
information.  Indeed,  additional  burdens  on  information  sharing  would  undoubtedly 
reduce  the  ability  of  insurance  companies  to  serve  its  policyholders. 

In  addition.  Title  V  recognizes  that  institutions  that  share  information  with 
affiliates  akeady  are  subject  to  the  Fair  Credit  Reporting  Act.  The  FCRA  provides 
that  an  institution  may  not  disclose  personal  information  of  its  customers  (other  than 
transaction  and  experience  information)  to  an  affiliate  unless  the  consumer  has  been 
given  an  opportunity  to  opt  out.  As  a  result,  under  current  law  financial  institutions 
may  not  routinely  share  health  information  with  affiliates  unless  they  have  given 
consumers  an  opportunity  to  opt  out  from  such  disclosure. 


168 


In  view  of  the  carefully  crafted  language  of  the  Gramm-Leach-BUley  Act,  as 
well  as  the  coverage  for  affiliate  sharing  contained  in  the  FCRA,  we  believe  that  any 
further  restrictions  on  the  abihty  of  financial  institutions  to  share  information  with 
affiliates  should  await  a  comprehensive  review  of  the  FCRA.  In  any  event,  they 
should  not  prevent  insurance  subsidiaries  within  a  holding  company  structure  from 
sharing  medical  information  that  is  needed  to  serve  customers. 

Restrictions  on  Information  About  Personal  Spending  Habits  Are  Unnecessary 

H.R.  4585  limits  the  ability  of  financial  institutions  to  use  information  relating 
to  payments  the  consumer  has  made  without  the  consent  of  the  consumer  if  such 
information  is  derived  from  individually  identifiable  health  information.  While  the 
insurance  industry  does  not  ordinarily  make  use  of  such  information  in  this  manner, 
we  believe  that  the  proposal  would  have  unintended  effects. 

It  is  operationally  difficult  for  fmancial  instimtions  to  distinguish  between 
payments  that  relate  to  health  claims  and  other  payments.  Accordingly,  the  profiling 
provision  of  the  legislation  would  apply  to  all  payment  information  which  financial 
institutions  maintain.  In  view  of  the  broad  coverage  of  this  section,  this  restriction 
could  prove  very  disruptive  to  the  ongoing  operations  of  fmancial  institutions. 
Because  financial  institutions  may  be  unable  to  separate  fmancial  and  medical, 
insurers  may  not  be  able  to  obtain  necessary  information  about  a  payment  which  a 
policyholder  may  have  made  without  running  afoul  of  this  section. 

We  do  not  believe  that  the  limited  benefits  which  the  provision  provides 
outweighs  the  considerable  operational  biu^dens. 

There  Is  No  Reason  Why  The  Exceptions  of  H.R.  4585 
Should  Be  More  Limited  Than  Those  In  Title  V 

In  order  to  avoid  serious  disruptions  to  normal  operations,  Congress  wisely 
adopted  several  exceptions  that  permit  financial  institutions  to  routinely  share 
customer  information  with  third  parties.  These  include  sharing  information  as 
necessary  to  effect,  administer  or  enforce  transactions  requested  or  authorized  by 
consumers.  Similarly,  H.R.  4585  provides  a  number  of  exceptions  as  well  to  the 
requirement  that  the  consumer's  consent  be  obtained  before  health  information  may 
be  shared. 

However,  the  bill  leaves  out  several  exceptions  that  are  important  for  the 
insurance  industry.  For  example.  Title  V  permits  insurance  companies  to  provide 
information  to  insurance  rate  advisory  organizations,  state  guaranty  funds  or  agencies, 
rating  agencies  and  persons  assessing  the  financial  institution's  compliance  with 
industry  standards.  These  exceptions  are  critical  to  the  insurance  industry.  We 
believe  the  reasons  for  the  exceptions  provided  in  Title  V  apply  with  equal  force  to 
the  sharing  of  information  under  H.R.  4585.  Accordingly,  we  urge  the  Committee  to 
restore  the  exceptions  as  provided  in  Title  V. 


169 


State  guaranty  funds  and  agencies  play  an  important  role  in  connection  with 
the  insolvency  of  insurance  companies.  These  organizations  play  a  role  similar  to  that 
of  the  Federal  Deposit  Insurance  Corporation  with  regard  to  depository  institutions. 
In  the  event  an  insurance  company  fails,  guaranty  funds  and  agencies  provide  the 
necessary  continuity  by  stepping  in  to  satisfy  claims  (including  those  that  relate  to 
payments  to  cover  medical  care)  of  the  failed  company.  In  order  for  them  to  perform 
their  function  effectively,  it  is  imperative  that  they  have  access  to  all  information  in 
the  insolvent  insurance  company's  files. 

Insurance  rate  advisory  organizations,  rating  agencies  and  persons  assessing 
the  financial  institution's  compliance  with  industry  standards  must  have  access  to  a 
full  range  of  information  from  insurance  companies  in  order  to  assesses  risk  and 
perform  their  important  evaluative  roles.  We  think  it  is  important  for  these 
exemptions  to  apply  to  the  sharing  of  health  information  as  well. 

Title  V  also  permits  a  financial  institution  to  disclose  information  to  a  third 
party  who  is  assisting  the  institution  in  marketing  its  products  and  services  if  the 
institution  fully  discloses  this  to  the  customer  and  the  third  party  contractually  agrees 
to  maintain  the  confidentiality  of  the  information.  Because  it  is  quite  common  for 
insurance  companies  to  rely  upon  third  parties  such  as  independent  agents  to  market 
insurance  products,  it  is  very  important  that  this  exception  also  apply  to  the  sharing  of 
health  information.  Without  this  exception,  insurance  companies  would  be  unable  to 
continue  to  use  their  current  marketing  channels. 

Another  exception  provided  for  in  Title  V  which  was  not  carried  through  to 
H.R.  4585  is  the  provision  which  permits  financial  institutions  to  provide  information 
to  consumer  reporting  agencies  in  accordance  with  the  Fair  Credit  reporting  Act  or 
from  a  consumer  report  by  a  consumer  reporting  agency.  We  believe  that  this  is  an 
important  exception,  particularly  in  view  of  the  broad  scope  of  the  definition  of  the 
term  "individually  identifiable  health  information."  As  the  Committee  is  aware,  the 
FCRA  imposes  severe  limitations  on  the  ability  of  consumer  reporting  agencies  to 
provide  information  to  requestors.  It  is  important  for  the  smooth  functioning  of  the 
insurance  industry  that  companies  be  able  to  provide  information  to  consumer 
reporting  agencies  and  that  we  be  able  to  make  use  of  information  provided  by  such 
agencies. 

RESTRAINTS  ON  INFORMATION  REQUESTS 

We  are  puzzled  by  the  requirement  contained  in  H.R.  4584  that  in  connection 
with  considering  a  loan  request,  financial  institutions  may  not  use  information  from 
an  affiliate  unless  they  normally  receive  the  same  information  from  unaffiliated 
parties.  If  a  financial  institution  believes  it  is  desirable  to  obtain  information  from  an 
affiliate,  we  see  no  public  policy  reason  why  the  consumer  should  not  be  able  provide 
his  or  her  consent  to  permit  the  affiliate  to  share  the  information  with  the  financial 
institution.  It  is  cumbersome  and  inefficient  to  require  the  financial  institution  to  seek 


170 


information  from  other  sources,  and  we  cannot  understand  what  purpose  is  served  by 
such  a  requirement. 

ACCESS  AND  CORRECTION  RIGHTS 

H.R.  4585  requires  fmancial  institutions  to  make  available  to  consumers 
individually  identifiable  health  information  which  the  institution  possesses,  and 
provide  the  consumer  with  an  opportunity  to  request  that  inaccurate  information  be 
corrected.  The  AIA  believes  that  such  access  should  be  limited  only  in  instances 
where  the  consumer's  appUcation  is  denied  based  upon  the  health  information 
contained  in  the  instimtion's  records.  We  see  httle  purpose  to  be  served  in  providing 
access  to  such  information  when  the  consumer  has  not  been  denied  a  product  or 
service  by  the  financial  institution.  The  burden  and  expense  that  financial  institutions 
would  incur  in  order  to  provide  access  to  such  information  to  consumers  who  were 
not  denied  products  and  services  far  outweighs  the  benefits. 

We  also  believe  it  important  that  customers  not  be  given  access  to  certain 
confidential  information,  such  as  information  insurance  companies  maintain  in 
connection  with  investigating  fraud,  misrepresentation,  unlawful  activity,  and 
information  developed  in  connection  with  litigation.  Permitting  customers  to  obtain 
access  to  such  information  would  have  an  adverse  effect  upon  the  ability  of  financial 
institutions  to  investigate  illegal  activity  and  defend  themselves  against  improper 
activities. 

CONCLUSION 

In  summary,  we  want  to  underscore  that  insurers  understand  and  appreciate 
that  consumer  privacy,  especially  as  it  relates  to  financial  and  medical  information,  is 
a  top  public  policy  concern.  We  believe  the  experience  of  the  property  /  casualty 
insurance  industry  demonstrates  that  confidential  health  information  is  presently 
being  protected  by  companies  and  we  know  that  we  must  remain  ever  vigilant  to 
protect  this  information  in  order  to  maintain  our  policyholders'  confidence.  However, 
in  our  effort  to  secure  this  information,  legitimate  disclosures  of  information  needed 
to  continue  to  provide  our  customers  with  the  insurance  protection  they  require  should 
not  be  restricted.  We  look  forward  to  working  with  the  Chairman  and  Members  of 
the  Committee  on  this  very  important  issue. 


171 


Testimony  of 

Edward  L.  Yingling 

On  Behalf  of  the 

American  Bankers  Association 

Before  the 

Committee  on  Banking  and  Financial  Services 
United  States  House  of  Representatives 

June  14,2000 


^»o 


AMERICAN 

BANKERS 

ASSOCUTION 


172 


Testimony  of  Edward  L.  Yingling 
On  Behalf  of  the  American  Bankers  Association 

Before  the 

Committee  on  Banking  and  Financial  Services 

United  States  House  of  Representatives 

June  14, 2000 


Mr.  Chairman,  I  am  Edward  Yingling,  Deputy  Executive  Vice  President  and  Executive 
Director  of  Government  Relations  for  the  American  Bankers  Association  (ABA).  ABA  brings 
together  all  elements  of  the  banking  community  to  best  represent  the  interests  of  this  rapidly 
changing  industry.  Its  membership  -  which  includes  community,  regional,  and  money  center 
banks  and  holding  companies,  as  well  as  savings  institutions,  trust  companies,  and  savings  banks 
-  makes  ABA  the  largest  banking  trade  association  in  the  country. 

Mr.  Chairman,  thank  you  for  holding  this  hearing  on  medical  privacy.  The  issue  of 
privacy  -  that  is,  the  responsible  use  and  protection  of  customer  information  -  is  the  ABA's  top 
priority.  The  banking  industry  has  a  long  history  of  earning  the  trust  of  its  customers  and,  in 
particular,  of  protecting  their  private  financial  information.  Indeed,  our  extensive  survey  work 
shows  that  consumers  trust  banks  more  than  virtually  any  other  institution  to  protect  their 
information. 

We  are  now  in  the  middle  of  a  revolution  in  information  technology.  This  rapidly 
changing  technology  landscape  raises  exciting  new  possibilities  to  provide  customers  with  new 
and  innovative  products,  to  increase  convenience,  and  to  lower  costs.  At  the  same  time,  this 
changing  technology  raises  important  questions  about  the  appropriate  use  of  information  and  the 
need  to  make  sure  we  meet  the  expectations  of  our  customers  that  information  be  used 
responsibly.  While  technologies  have  changed,  the  fiindamental  principle  of  protecting  customer 
information  and  preserving  trust  has  not  -  it  remains  the  cornerstone  of  successful  banking; 

It  would  seem  obvious  that  medical  information  is  at  the  top  of  the  list  of  information 
about  which  consumers  are  concerned,  and,  indeed,  our  survey  work  confirms  that.  Throughout 
its  history,  the  banking  industry  has  protected  the  medical  information  of  its  customers  whenever 


173 


that  information  has  been  made  available  to  banks.  Therefore,  our  industry's  basic  approach  to 
medical  information  is  straightforward:  Medical  information  should  only  be  used  for  the 
express  purpose  for  which  it  is  provided  and  should  not  be  shared  without  the  express  consent 
of  the  customer.  More  specifically,  concern  has  been  expressed  that  lenders  might  use  medical 
information  obtained  elsewhere  in  making  a  credit  decision.  ABA's  position  is  that  such  use  of 
medical  information  in  a  credit  decision  obtained  without  the  knowledge  and  consent  of  the 
borrower  is  just  plain  wrong.  There  are  instances  where  medical  information  is  relevant  -  for 
example,  in  sole  proprietorships  or  smeill  businesses  where  the  franchise  value  of  the  firm  hinges 
on  one  or  two  key  individuals.  In  such  cases,  insurance  on  the  key  individuals  might  be  required. 
However,  in  those  instances,  the  prospective  borrower  will  know  what  information  is  required, 
and  can  expressly  consent  to  its  being  obtained  and  used.  Otherwise  medical  information  should 
not  be  used. 

On  June  6,  the  ABA,  joined  by  the  Financial  Services  Roundtable  and  the  Consumer 
Bankers  Association,  announced  new  voluntary  guidelines  on  the  appropriate  use  and  protection 
of  information,  based  on  the  extensive  work  of  a  blue  ribbon  ABA  task  force.  Attached  to  this 
testimony  is  a  copy  of  those  guidelines.  The  guidelines  represent  core  values  for  our  industry. 
The  guidelines  wall  help  bankers  reassess  every  aspect  of  how  they  collect,  use  and  distribute 
information  -  from  who  sees  the  information,  to  how  it  is  stored  and  updated;  from  how  it  is 
used  to  benefit  the  customer,  to  how  it  is  protected. 

We  believe  one  of  the  most  important  guidelines  is  number  3,  which  states: 

Medical  Information  Will  Not  Be  Shared 

Financial  institutions  recognize  that,  when  consimiers  provide  medical 
information  for  a  specific  purpose,  they  do  not  wish  it  to  be  used  for  other 
purposes,  such  as  for  marketing,  or  in  making  a  credit  decision.  If  a  customer 
provides  personal  medical  information  to  a  fmancial  institution,  the  financial 
institution  will  not  disclose  the  information,  unless  authorized  by  the  customer. 


174 


In  addition,  last  year  the  ABA  supported  the  legislative  provisions  on  medical  privacy 
that  were  contained  in  early  versions  of  what  became  the  Gramm-Leach-Bliley  Act.  We  were 
disappointed  that  the  issue  was  not  addressed  in  that  legislation  last  year. 

Therefore.  ABA  can  clearly  support  the  thrust  behind  H.R.  4585.  Having  said  this,  I 
must  also  say  that  the  ABA  has  very  serious  concerns  relating  to  H.R.  4585  in  two  areas.  The 
first  relates  to  process.  While  it  may  indeed  be  possible  to  obtain  a  broad  consensus  on  a 
targeted  bill  on  medical  information,  I  want  to  emphasize  that  the  ABA,  and  I  believe  the 
financial  services  industry  generally,  would  be  strongly  opposed  to  opening  up  the  privacy 
provisions  of  Gramm-Leach-Bliley  on  a  broader  front.  Given  the  limited  number  of  legislative 
days  left  in  this  Congress,  any  attempt  to  broaden  the  legislation  would  likely  mean  that  there 
would  be  no  legislation  at  all. 

It  should  be  clear  to  everyone  by  this  time  that  privacy  is  a  tremendously  complex  area  - 
and  one  where  the  law  of  unintended  consequences  is  very  much  in  play.  We  recognize  that 
some  members  of  this  Committee  did  not  feel  that  the  privacy  provisions  in  Gramm-Leach- 
Bliley  went  far  enough,  but  one  has  only  to  look  at  the  length  and  complexity  of  the  regulations 
just  finalized  to  reedize  what  a  major  piece  of  legislation  the  privacy  provisions  were.  The  ABA 
strongly  believes  that  we  need  to  see  just  how  the  current  law  works  before  we  try  to  add 
additional  requirements  to  it. 

A  special  word  is  in  order  about  regulatory  costs.  Our  members  are  now  beginning  to 
estimate  the  cost  of  compliance  with  the  new  privacy  law,  and  it  is  clear  for  the  largest  banking 
institutions  that  it  will  be  in  the  tens  of  millions  of  dollars  each.  Indeed,  we  believe  it  is  a 
conservative  estimate  that  the  initial  cost  across  all  fmancial  services  firms  will  be  in  excess  of 
$1  billion,  with  additional  ongoing  costs  each  year.  These  costs  include  developing  the  privacy 
programs,  reworking  all  information  systems  throughout  each  institution  to  comply  with  those 
programs,  training  virtually  every  employee  within  an  institution,  and  developing  and  mailing 
the  privacy  notices.  It  is,  of  course,  the  case  that  in  a  competitive  market  -  like  that  for  financial 
services  -  it  is  the  consumers  of  the  products  and  services  that  ultimately  pay  most  of  these  costs. 


175 


A  second  area  of  concern  relates  to  some  of  the  specific  provisions  in  H.R.  4585. 
Working  with  our  colleagues  in  the  Financial  Services  Coordinating  Council  (FSCC),  we  have 
identified  a  number  of  specific  problems  in  the  bill  that  need  to  be  addressed.  (The  FSCC 
consists  of  the  ABA,  the  American  Insurance  Association,  the  American  Council  of  Life 
Insurers,  the  Investment  Company  Institute,  and  the  Securities  Industry  Association.)  In 
particular,  there  are  specific  recommendations  ft-om  the  insurance  industry  relating  to  long- 
standing underwriting  processes  that  are  used  to  develop  appropriate  insurance  models.  ABA 
urges  the  Committee  to  listen  carefully  to  those  concerns  and  to  address  them  in  any  mark-up  of 
this  bill. 

Furthermore,  the  ABA  has  a  very  real  concern  with  the  subsection  in  the  bill  relating  to 
"Consumer  Rights  to  Access  and  Correct  Information."  Simply  put,  we  find  this  provision 
totally  imworkable  in  the  real  world.  The  concept  of  having  a  consumer  be  able  to  see  his  or  her 
medical  information  and  to  correct  it  is  likely  based  on  the  Fair  Credit  Reporting  Act  (FCRA). 
Under  that  act,  consumers  are  given  the  right  to  see  their  information  in  their  individual  credit 
file  and  to  ask  that  any  misinformation  be  corrected.  There  are  two  very  important  differences 
between  the  FCRA  and  the  consumer  access  provision  in  H.R.  4585.  First,  under  FCRA,  the 
request  to  see  information  relates  to  a  very  specific  credit  file.  The  entire  function  of  credit 
bureaus  is  to  develop  a  report  on  individuals,  and,  therefore,  information  is  centralized  into  that 
one  file.  In  fact,  the  purpose  of  credit  bureaus  is  to  collect  in  one  place  credit  information  from 
many  sources  so  that  a  lending  institution  relying  on  a  credit  report  will  have  the  fiiU  history  of 
the  perspective  borrower.  On  the  other  hand,  banks  generally  do  not  collect  medical  information 
on  customers.  Whatever  information  a  bank  may  have  access  to  is  a  natural  consequence  of 
providing  services,  such  as  payment  system  services  (e.g.,  checking,  credit  card,  and  debit  card 
services).  Because  such  information  is  not  collected  and  stored  in  one  place  such  as  a  specific 
file,  it  would  be  difficult  if  not  impossible  for  a  bank  to  retrieve  with  confidence  any  medical 
information  that  it  may  have  access  to.  In  fact,  we  would  think  Congress  would  not  want  us  to 
collect  it  in  a  central  location. 

Secondly,  the  FCRA  is  designed  to  protect  the  information  that  is  used  for  a  very 
important  purpose  -  making  credit  decisions.  Credit  bureaus  deliberately  collect  this  information 


176 


from  many  sources  in  order  to  provide  it  to  lenders  for  credit  decisions.  If  the  information  is 
incorrect,  it  may  prove  to  be  difficult  or  even  impossible  for  the  consumer  to  obtain  credit  even 
though  he  or  she  might  otherwise  be  considered  eligible  if  the  information  were  correct.  The 
Congress,  quite  understandably,  believed  that  this  was  of  tremendous  significance  to  the 
consumer.  Under  H.R.  4585,  however,  the  consumer  is  to  be  given  access  to  information 
whether  or  not  it  is  used  for  any  purpose  whatsoever. 

Thus,  under  the  literal  language  of  H.R.  4585,  an  individual  can  call  any  financial 
institution  and  demand  to  see  any  medical  information  that  might  be  held  anywhere  in  the 
institution  no  matter  for  what  purpose  it  is  held.  In  fact,  the  consumer  apparently  can  generate  a 
search  even  though  he  or  she  does  not  have  a  basis  on  which  to  believe  the  institution  has  or  is 
using  medical  information.  In  order  to  comply  with  such  a  request,  the  institution  would,  under 
the  language  of  the  bill,  need  to  query  the  great  majority  of  its  employees  to  see  if  each  employee 
has  somehow  or  other  gathered  some  medical  information  on  the  consumer.  While  this  may  not 
have  been  the  intent  of  the  legislation,  it  is  a  plain  reading  of  its  language. 

Part  of  the  problem  may  be  a  misconception  that  there  is,  in  any  financial  institution,  one 
list  that  contains  all  the  information  about  a  consumer.  In  institutions  of  even  the  smallest  size, 
that  is  not  the  case.  At  any  given  time,  there  are  numerous  lists,  developed  under  different 
circumstances  or  for  different  purposes.  There  also  is  information  in  many  employees'  files  that 
is  never  put  on  any  list  or  in  a  database.  While  it,  again,  may  not  be  the  intent  of  the  legislation, 
V        let  me  cite  a  few  examples  that  would  seem  to  be  covered  by  the  consumer  access  requirement. 
Note  in  this  context  that  the  definition  of  "individually  identifiable  health  information"  in  the  bill 
is^very  broad. 

First,  it  would  seem  that  a  bank  would  have  to  go  through  every  check  written  by  the 
consumer  and  every  credit  card  slip  in  its  files  to  see  if  they  contained  any  applicable  medical 
\  information  -  a  process  that  is  not  done  today  and  is  antithetical  to  the  notion  of  medical 

privacy.  Such  a  huge  undertaking  would  necessarily  involve  speculation  on  the  part  of  the 
financial  institution  as  to  what  constituted  medical  information.  For  example,  would  a  debit  card 
transaction  at  the  local  CVS  pharmacy  be  considered  medical  information?  Clearly,  CVS  sells 


177 


thousands  of  products  that  are  not  medically  related.  Moreover,  financial  institutions  would  also 
have  to  review  any  loan  made  to  the  consumer  to  see  if  the  proceeds  of  that  loan  were,  in  any 
fashion,  used  for  medical  purposes  and  the  fact  that  the  money  was  so  used  somehow 
communicated  to  the  bank.  All  lending  officers  and  insurance  agents  would  have  to  be  asked  if 
they  had  ever  taken  any  medical/insurance  information  as  part  of  a  loan  or  insurance  application 
and  kept  that  information  in  one  of  their  files. 

The  institution  would  also,  under  the  literal  language  of  the  bill,  have  to  query  all  its 
branches  to  see  if  any  information  had  been  provided  to  branch  personnel.  This  would  not  be 
limited  to  the  home  branch  of  the  customer,  as  the  customer  could  have  had  some  interaction 
with  any  branch.  Suppose,  for  example,  that  a  customer  goes  into  a  branch  away  from  his  or  her 
home  town  for  a  cash  advance  on  a  credit  card  to  deal  with  the  costs  surrounding  an  extended 
stay  due  to  injury  to  a  family  member  caused  by  an  accident.  Suppose  also  that  the  branch 
manager,  in  the  process  of  making  every  effort  to  aid  the  customer,  recorded  in  a  file  the  nature 
of  the  situation.  If,  six  months  later,  that  same  customer  calls  an  800  number  and  requests  his  or 
her  medical  information,  the  bank  would  be  in  violation  of  the  law  if  it  did  not  include  the  record 
of  that  branch  manager,  even  though  the  home  office  had  no  way  of  knowing  that  the  branch 
manager  had  the  information  or  had  ever  dealt  with  the  customer.  Literally,  to  be  in  compliance, 
the  home  office  would  have  to  query  the  great  majority  of  its  employees  to  make  sure  that  none 
of  them  had  come  into  possession  of  some  medical  information  and  had  it  in  a  file  somewhere. 

In  this  respect,  the  bill  provides  for  reimbursement  of  "reasonable"  costs.  What  would  be 
a  "reasonable"  cost?  If  a  "reasonable"  cost  is  that  needed  to  cover  the  cost  to  the  institution, 
which  we  would  argue  it  should,  then  it  could  be  very  expensive  to  the  consumer  to  make  any 
such  inquiry.  That,  of  course,  would  make  the  access  requirement  of  no  value.  Would 
"reasonable"  include  the  overhead  cost  of  developing  and  maintaining  a  system  to  reply  to  such 
inquiries?  If  "reasonable"  means  a  few  dollars,  then  financial  institutions  will  lose  great  amounts 
on  any  inquiry.  Some  may  argue  that  such  inquiries  would  be  rare,  but  the  institution  would  still 
be  required  to  have  an  expensive  process  in  place  to  access  the  information  across  its  entire 
operation,  no  matter  how  infrequent  the  inquiries  might  be.  On  the  other  hand,  since  the  bill 


178 


allows  any  "consumer"  to  make  such  requests,  a  large  group  could  demand  searches  just  to  hurt 
an  institution. 

ABA  also  is  concerned  about  the  paragraph  on  page  7  of  the  bill  entitled  "Restraint  on 
Information  Requests."  Quite  frankly,  we  cannot  understand  its  effect. 

In  conclusion,  Mr.  Chairman,  the  ABA  believes  that  medical  information  should  only  be 
used  for  the  express  purpose  for  which  it  is  provided  and  should  not  be  shared  without  the 
express  consent  of  the  customers.  However,  the  ABA  does  have  serious  concems  about  the 
legislative  process  going  beyond  medical  privacy  and  about  specific  provisions  of  the  bill.  In 
particular,  the  ABA  is  strongly  opposed  to  the  provision  which  would  establish  a  new,  open- 
ended  right  to  force  an  institution  to  search  for  information  wherever  it  may  be  in  an  institution 
and  whether  or  not  it  is  being  used  to  make  a  decision  of  any  importance  to  the  consumer.  The 
situation  is  not  analogous  to  the  FCRA,  where  consumers  have  a  legitimate  concem  that 
misinformation  in  a  specific  place  -  a  credit  file  -  could  adversely  affect  his  or  her  ability  to 
obtain  credit.  Under  H.R.  4585,  there  is  no  requirement  that  the  information  is  being  used  in  a 
manner  of  any  importance  to  the  consumer.  We  hope  that  these  concems  can  be  addressed  by 
the  Committee  and  we  look  forward  to  working  with  Committee  members  to  that  end. 


179 


Voluntary  Guidelines  for  Responsible  Use  and  Protection  of  Customer 

Information 

Introduction 

The  financial  services  industry  has  a  long  history  of  using  customer  information  responsibly.  The  industry 
values  the  trust  customers  have  that  financial  institutions  will  protect  their  personal  financial  information. 
New  technologies  have  dramatically  changed  the  way  information  is  gathered,  used  and  stored,  but  the 
importance  of  preserving  customer  trust  and  confidentiality  of  personal  information  has  remained  a  core 
value  of  the  financial  services  industry. 

This  special  task  force  has  developed  these  voluntary  guidelines  that  encourage  financial  institutions  to 
reassess,  through  self-€xamination,  how  they  use  customer  information.  In  partnership  with  their  customers, 
financial  institutions  reaflfirm  the  strong  commitment  to  safeguard  personal  information  and  provide  high- 
quality,  affordable  and  innovative  products  and  services. 

This  task  force  consisted  of  representatives  fiom  banking  institutions  of  all  sizes  and  fix)m  all  parts  of  the 
country.  It  included  CEOs,  privacy  experts,  representatives  of  non-bank  affiliates,  and  third  party  providers. 
These  guidelines  express  broad  concepts  to  be  followed.  They  are  not  meant  to  provide  a  detailed,  legal 
explanation  covering  every  possibility  —  for  example,  the  need  to  provide  information  in  response  to  a 
subpoena,  to  process  an  insurance  claim,  or  to  market  an  institution's  services  or  provide  products  jointly 
with  business  partners.  Nor  do  the  guidelines  constitute  a  privacy  policy,  which  would  need  to  be  more 
detailed,  although  these  guidelines  should  serve,  along  with  the  legal  requirements  of  the  Gramm-Leach- 
Bliley  Act,  as  the  basis  of  an  institution's  privacy  policy. 


181 


5.  Financial  Institutions  Have  Procedures  Designed  to  Maintain  Accurate  Information 

Financial  instimtions  have  procedures  designed  to  maintain  accurate,  current  and  complete  customer 
information.  Financial  institutions  respond  in  a  timely  manner  to  customer  requests  to  correct 
information. 

6.  Financial  Institutions  Help  Protect  Customers  Against  Criminal  Use  of  Their  Information 

Financial  institutions  help  protect  customers  against,  and  educate  customers  about  how  to  protect 
themselves  from,  criminal  use  of  their  information.  Financial  institutions  use  a  combination  of 
safeguards  to  protect  customer  information,  such  as  employee  training,  rigorous  security  standards, 
encryption  and  fraud  detection.  Institutions  work  with  law  enforcement  officials  to  pursue  individuals 
who  fraudulendy  use  information. 

7.  Financial  Institutions  Have  Procedures  to  Prevent  Unauthorized  Access  to  Customer  Information 

Financial  institutions  maintain  security  and  confidentiality  procedures  designed  to  prevent  unauthorized 
access  to  customer  information. 

8.  Sharing  Information  Within  the  Family  of  Companies  Improves  Customer  Service 

Financial  institutions  share  information  within  their  family  of  companies  in  order  to  provide  customers 
with  the  best  possible  products  and  services  at  reasonable  prices,  and  to  prevent  fraud  and  criminal 
activity.  Financial  institutions  describe  the  options  they  make  available  to  customers  to  provide  or 
restrict  information  within  the  family  of  companies,  make  it  convenient  for  customers  to  choose  among 
those  options,  and  honor  the  choices  that  are  made. 

9.  Disclosure  of  Information  Outside  the  Family  of  Companies  is  Restricted 

If  information  is  provided  outside  the  family  of  companies  for  marketing  nonfinancial  products,  financial 
institutions  provide  each  customer  the  opportunity  to  prevent,  or  opt-out  of,  the  exchange  of  information. 
If  such  information  is  provided  to  parties  outside  the  family  of  companies,  financial  institutions  obligate 
such  parties  to  adhere  to  the  financial  institution's  policy  that  provides  for  keeping  such  information 
confidential,  and  inform  them  that  it  is  against  the  law  to  disclose  such  information  for  any  purpose  other 
than  that  for  which  it  was  originally  provided. 

10.  Account  Numbers  Are  Not  Provided  Outside  the  Family  Of  Companies  For  Marketing  Purposes 

Financial  institutions  do  not  provide  account  numbers  to  parties  outside  the  family  of  companies  for 
marketing  purposes. 


180 


Voluntary  Guidelines  for  Responsible  Use  and  Protection  of  Customer 

Information 

Guidelines 

1.  Financial  Institutions  Recognize  Customers'  Expectations  for  Responsible  Use  and  Protection  of 
Information  and  Communicate  Their  Information  Practices  to  Those  Customers 

Financial  institutions  recognize  and  respect  the  expectations  of  their  customers  regarding  use  of  f)ersonal 
information,  and  provide  information  to  customers  on  how  information  about  them  is  used  and 
protected,  and  the  benefits  such  use  provides.  Financial  institutions  provide  their  customers  with  their 
policies  on  responsible  use  and  safeguarding  of  information,  and  provide  a  means  by  which  customers 
can  leam  more  about  the  information  practices  of  their  institutions. 

2.  Preserving  Trust  is  a  Core  Value 

Safeguarding  customer  information  requires  standards  of  conduct  for  each  employee  regarding  the 
responsible  use  and  protection  of  personally  identifiable  information.  Financial  institutions  educate  their 
employees  to  respect  the  importance  of  maintaining  the  confidentiality  of  customer  information  and  take 
appropriate  disciplinary  measures  to  enforce  employee  responsibilities. 

3.  Medical  Information  Will  Not  Be  Shared 

Financial  institutions  recognize  that,  when  consumers  provide  medical  information  for  a  specific 
purpose,  they  do  not  wish  it  to  be  used  for  other  purposes,  such  as  for  marketing,  or  in  making  a  credit 
decision.  If  a  customer  provides  personal  medical  information  to  a  financial  institution,  the  financial 
institution  will  not  disclose  the  information,  unless  authorized  by  the  customer. 

4.  Responsible  Use  of  Information  Provides  Customer  Benefits 

Information  financial  institutions  collect  provides  significant  customer  benefits.  It  enables  financial 
institutions  to  understand  customers'  financial  needs,  improve  products  and  services,  comply  with  laws 
and  regulations,  provide  enhanced  customer  service,  and  protect  customers  against  fiaud. 


182 


/ 1  L  L  f  muRERS 


mERICMI 

comcii 


Testimony  of  the 

AMERICAN  COUNCIL  OF  LIFE  INSURERS 

Before  the 

HOUSE  COMMITTEE  ON  BANKING  AND  FINANCIAL 

SERVICES 


On 

The  Medical  Financial  Privacy  Protection  Act 


June  14,  2000 
2128  Raybum  House  Office  Building 


1001  Pennsylvania  Avenue,  NW  -  5*  Floor  Washington.  DC  20004-2599 
Telephone:  202/624-2000    Facsimile:  202/624-2319 


183 


I.        INTRODUCTION 

The  American  Council  of  Life  Insurers  (ACLI)  is  pleased  to  submit  this  statement  on  the 
Medical  Financial  Privacy  Protection  Act  (H.R.  4585)  to  the  House  Committee  on  Banking  and 
Financial  Services.  The  ACLI  is  a  national  trade  association  whose  435  member  companies 
represent  approximately  73  percent  of  the  life  insurance  and  87  percent  of  the  long  term  care 
insurance  in  force  in  the  United  States.  They  also  represent  over  80  percent  of  the  domestic 
pension  business  funded  through  life  insurance  companies  and  71  percent  of  the  companies  that 
provide  disability  income  insurance.  The  ACLI  commends  Chairman  Jim  Leach  for  calUng  a 
hearing  on  this  important  subject  and  for  sponsoring  this  legislation. 

n.     ACLI  POLICY  POSITION 

Life,  disability  income,  and  long  term  care  insurers  are  well  aware  of  the  unique  position 
of  responsibility  they  have  regarding  an  individual's  personal  medical  and  financial  information. 
ACLI  member  companies  are  strongly  committed  to  the  principle  that  individuals  have  a 
legitimate  interest  in  the  proper  collection  and  handling  of  their  personal  information  and  that 
insurers  have  an  obligation  to  assure  individuals  of  the  confidentiality  of  that  information. 
Toward  this  end,  the  ACLI  Board  of  Directors  has  adopted  policy  in  relation  to  confidentiaUty  of 
medical  and  financial  information. 

ACLI's  Confidentiality  of  Medical  Information  Principles  of  Support  and  Confidenfialitv 
of  Financial  Information  Principles  Support  are  grounded  in  the  industry's  long  history  of 
dealing  with  highly  sensitive  information  in  a  professional  and  appropriate  manner.  These 
principles  also  acknowledge  the  changing  horizon  of  the  financial  marketplace.  For  example, 
where  a  bank  and  an  insurer  are  affiliated,  should  a  bank  evaluating  an  application  for  a  mortgage 
or  credit  be  able  to  use  medical  information  from  the  insurer  indicating  that  a  mortgage  applicant 
has  a  history  of  heart  disease?  ACLI  member  companies  strongly  believe  that  the  answer  to  that 
question  -  and  similar  ones  -  should  be  a  resounding  "  NO." 

We  support  strict  protections  for  medical  record  confidentiality,  including  a  prohibition 
on  an  insurer  sharing  medical  records  with  a  financial  company,  such  as  a  bank,  for  use  in 
determining  eligibiUty  for  a  loan  or  other  credit  -  even  if  the  insurance  company  and  the  financial 
company  are  commonly  owned.  We  also  support  a  prohibition  on  the  sharing  of  medical 
information  by  an  insurer  for  marketing  purposes.  It  is  our  policy  that  life,  disability  income,  and 
long  term  care  insurers  should  not  share  medical  information  for  marketing  purposes,  for 
example,  with  pharmaceutical  companies  or  drug  stores.  Copies  of  the  ACLI  "Principles  of 
Support"  are  attached. 

The  very  nature  of  life,  disabiUty  income  and  long  term  care  insurance  involves  personal 
and  confidential  relationships.  These  insurers  must  be  able  to  obtain,  use,  and  share  their 
customers'  personal  health  and  financial  information  to  perform  legitimate  insurance  business 
fimctions.  These  functions  are  essential  to  insurers'  ability  to  serve  and  meet  their  contractual 
obhgations  to  their  existing  and  prospective  customers.  ACLI  member  companies  also  believe 


184 


that  the  sharing  of  information  with  affiliates  and  unaffiliated  third  parties  generally  increases 
efficiency,  reduces  costs,  and  makes  it  possible  to  offer  economies  and  innovative  products  and 
services  to  consumers  that  otherwise  would  not  be  available. 

LIFE,  DISABILITY  INCOME,  AND  LONG  TERM  CARE  INSURANCE  POLICIES 

The  fundamental  purpose  of  life,  disability  income  and  long  term  care  insurance  is  to 
provide  financial  security  for  individuals  and  families: 

•  Life  insurance  provides  financial  protection  to  beneficiaries  in  the  event  of  the 
insured's  death.  Proceeds  fi-om  a  life  insurance  policy  may  help  a  surviving 
spouse  pay  a  mortgage  or  send  children  to  daycare  or  college. 

•  Disability  income  insurance  replaces  lost  income  when  a  person  is  unable  to 
work  due  to  injmy  or  illness. 

•  Long  term  care  insurance  helps  protect  individuals  and  families  fi'om  the 
financial  hardships  associated  with  the  costs  of  services  required  for  continuing 
care,  for  example,  when  someone  suffers  a  catastrophic  or  disabling  illness. 

Every  year  America's  life,  disability  income  and  long  term  care  insurers  enter  into 
millions  of  insurance  contracts.  Those  contracts  represent  the  promises  we  keep  to  our 
policyholders. 

m.    USE  OF  PERSONAL  HEALTH  AND  FINANCIAL  INFORMATION 
BY  LIFE,  DISABILITY  INCOME,  AND  LONG  TERM  CARE 
INSURERS 

UNDERWRITING  THE  POLICY 

When  a  consumer  begins  the  search  for  a  life,  disability  income,  or  long  term  care 
insurance  product,  he  or  she  often  begins  by  meeting  with  an  insurer's  sales  representative. 
Generally,  the  sales  representative  will  discuss  with  the  individual  his  or  her  family's  financial 
security  and  estate  plaiming  goals.  If  the  consimier  decides  to  apply  for  individually 
underwritten  insurance,  the  sales  representative  will  complete  an  application. 

Many  of  the  application  questions  concern  nonmedical  information,  such  as  age, 
occupation,  income,  net  worth,  other  insurance  and  beneficiary  designations.  Other  questions 
focus  on  the  proposed  insured's  health,  including  current  medical  condition  and  past  illnesses, 
injuries  and  medical  treatments.  The  sales  representative  also  will  ask  the  applicant  to  provide 
the  name  of  each  physician  or  practitioner  consulted  in  connection  with  any  ailment  within  a 
specified  period  of  time  (typically  five  years). 

Up  to  this  point  in  the  process,  the  information  the  insurance  company  receives  about  the 


185 


applicant  has  come  directly  from  the  applicant.  Depending  on  his  age  and  medical  history  and 
the  amount  of  insurance  applied  for,  the  insurance  company  may  require  medical  record 
information  or  additional  financial  information.  When  the  sales  representative  takes  the 
consumer's  application  for  insurance,  the  agent  also  will  ask  him  to  sign  a  consent  form 
authorizing  the  insurance  company  to  verify  and  supplement  the  information  about  him,  and  to 
obtain  additional  information  if  it  is  needed  to  evaluate  the  appHcation. 

The  medical  information  that  insurance  companies  typically  request  of  applicants  includes 
routine  measurements,  such  as  height  and  weight,  blood  pressure,  and  cholesterol  level.  The 
insurer  may  also  seek  an  evaluation  of  blood,  urine  or  oral  fluid  specimens,  including  tests  for 
tobacco  or  drug  use  or  HTV  infection.  Medical  tests  are  done  only  with  the  apphcant's  consent. 
Since  life,  disability  income,  and  long  term  care  insurance  policies  are  long  range  financid 
products  purchased  to  provide  fmancial  security,  it  is  often  necessary  for  the  insurer  to  also 
assess  and  use  personal  financial  information,  such  as  occupation,  income,  net  worth,  assets,  and 
estate  planning  goals. 

The  price  of  Hfe,  disability  income,  or  long  term  care  insurance  is  generally  based  on  the 
proposed  insured's  gender,  age,  present  and  past  state  of  health,  possibly  his  or  her  job  or  hobby, 
and  the  type  and  amount  of  coverage  sought.  Life,  disabiUty  income,  and  long  term  care  insurers 
gather  this  information  during  the  underwriting  process.  Based  on  this  information,  the  insurer 
groups  insureds  into  pools  in  order  to  share  the  financial  risks  presented  by  dying  prematurely, 
becoming  disabled  or  needing  long  term  care. 

This  system  of  classifying  proposed  insureds  by  level  of  risk  is  called  risk  classification. 
It  enables  insurers  to  group  together  people  with  similar  characteristics  and  to  calculate  a 
premium  based  on  that  group's  level  of  risk.  Those  with  similar  risks  pay  the  same  premiums. 
The  process  of  risk  classification  provides  the  fundamental  framework  for  the  current  private 
insurance  system  in  the  United  States.  It  is  essential  to  insurers'  abihty  to  determine  premiums 
which  are  adequate  to  pay  future  claims  and  fair  relative  to  the  risk  posed  by  the  proposed 
insiured. 

Some  individuals  are  concerned  that  their  medical  record  information  will  be  "used 
against  them"  to  deny  or  cancel  coverage,  or  to  increase  premiums.  In  fact,  underwriting  and  the 
process  of  risk  classification,  based  in  large  part  on  medical  record  information,  have  made  life, 
disability  income  and  long  term  care  insurance  widely  available  and  affordable:  95  percent  of 
individuals  who  apply  for  life  insurance  are  issued  policies  and  91  percent  obtain  it  at  standard  or 
better  rates. 

Once  a  Hfe,  disability  income,  or  long  term  care  insurance  policy  is  issued,  it  cannot  be 
canceled  for  any  reason  except  for  nonpayment  of  premiums.  Premiums  for  these  types  of 
coverage  cannot  be  raised  because  an  individual  files  a  claim,  or  because  an  individual  becomes 
ill  after  purchasing  the  poUcy.  However,  if  an  individual  suffers  from  a  serious  medical  problem 
at  the  time  a  life  insurance  policy  is  issued,  the  premium  may  be  reduced  in  some  cases  when  the 
insured's  health  improves.  Also,  although  premiums  for  some  disability  income  or  long  term 
care  insurance  policies  may  be  increased  based  on  macro-economic  factors,  they  may  never  be 


186 


increased  on  an  individual  basis.  Disability  income  and  long  term  care  insurance  premiums  may 
only  be  increased  for  a  whole  block  of  policies,  usually  only  to  ensure  that  premiums  are 
adequate  to  pay  claims. 

THE  BUSINESS  OF  LIFE,  DISABILITY  INCOME,  AND  LONG  TERM  CARE 
INSURANCE 

Once  a  life,  disability  income,  or  long  term  care  insurer  has  an  individual's  personal  health 
and  financial  information,  the  insurer  limits  who  sees  it.  However,  the  insurer  must  use  and 
share  that  information  to  perform  legitimate,  essential  insurance  business  functions  -  to 
underwrite  the  applications  of  prospective  customers,  as  described  above,  to  administer  and 
service  existing  contracts  with  consumers,  and  to  perform  related  product  or  service  functions. 
Life,  disability  income,  and  long  term  care  insurers  must  disclose  personal  information  in  order 
to  comply  with  various  regulatory/legal  mandates  and  in  furtherance  of  certain  public  policy 
goals  (such  as  the  detection  and  deterrence  of  fi-aud).  Activities  in  cormection  with  ordinary 
proposed  and  consummated  business  transactions,  such  as  reinsurance  treaties  and  mergers  and 
acquisitions,  also  necessitate  insurers'  sharing  of  personal  information. 

PERFORMANCE  OF  ESSENTIAL  INSURANCE  BUSINESS  FUNCTIONS 

Many  insurers  use  affiliates  or  imaffiliated  third  parties  to  perform  all  or  part  of  the 
essential,  core  fimctions  associated  with  an  insurance  contract.  It  is  quite  common  for  these 
insiu'ers  to  use  affiliates  or  third  parties  to  perform  basic  functions  such  as  imderwriting,  claims 
evaluation,  and  poucy  administration.  In  addition,  insurers  also  use  third  parties  to  perform 
important  business  functions,  not  necessarily  directly  related  to  a  particular  insurance  contract, 
but  essential  to  the  administration  or  servicing  of  insurance  policies  generally,  such  as,  for 
example,  development  and  maintenance  of  computer  systems. 

Third  parties,  such  as  actuaries,  employee  benefits  or  other  consultants,  physicians, 
attorneys,  auditors,  investigators,  translators,  records  administrators,  third  party  administrators, 
and  others  are  often  used  to  perform  business  functions  necessary  to  effect,  administer,  or 
enforce  insurance  policies  or  the  related  product  or  service  business  of  which  these  policies  are  a 
part.  Often  these  arrangements  with  afBliates  or  unaffiliated  third  parties  provide  the  most 
efficient  and  economical  way  for  an  insurer  to  serve  prospective  and  existing  customers.  The 
economies  and  efficiencies  devolving  fi-om  these  relationships  inure  to  the  benefit  of  the 
insiu-er's  customers. 

If  an  individual  were  to  be  permitted  to  withhold  consent  for  a  life,  disability  income,  or 
long  term  care  insurer  to  share  his  or  her  personal  information  with  an  affiliate  or  a  third  party 
performing  a  core  insurance  business  fiinction  for  the  insurer,  it  would  be  extremely  difficult,  if 
not  impossible,  for  the  insurer  to  provide  that  consiuner  with  the  coverage,  service,  benefits,  or 
economies  that  otherwise  would  be  available.  For  example,  suppose  an  individual  seeks  life 
insurance  coverage  fi-om  an  insurer  which  uses  an  affiUate  or  a  third  party  to  do  its  underwriting. 
If  the  individual  withholds  or  subsequently  withdraws  consent  for  the  insurer  to  divulge  his 
personal  health  information,  the  insurer  either  cannot  underwrite  the  policy  because  it  does  not 


187 


have  the  internal  capacity  to  do  so  or  it  must  create  a  special  system  to  accommodate  this  one 
individual. 

DISCLOSURES  PURSUANT  TO  REGULATORY/LEGAL  MANDATES  OR  TO 
ACHIEVE  CERTAIN  PUBLIC  POLICY  GOALS 

Life,  disability  income,  and  long  term  care  insurers  must  regularly  disclose  personal  health 
and  financial  information  to:  (1)  state  insurance  departments  as  a  result  of  their  general 
regulatory  oversight  of  insurers,  which  includes  regular  market  conduct  and  financial 
examinations  of  insurers;  (2)  self-regulatory  organizations,  such  as  the  Insurance  Marketplace 
Standards  Association  (IMSA),  which  imposes  and  monitors  adherence  to  requirements  with 
respect  to  member  insurers'  conduct  in  the  marketplace;  and  (3)  state  insurance  guaranty  funds, 
which  seek  to  satisfy  policyholder  claims  in  the  event  of  impairment  or  insolvency  of  an  insurer 
or  to  facilitate  rehabilitations  or  hquidations  which  typically  require  broad  access  to  policyholder 
information.  Any  limitation  on  these  disclosiu^es  would  seem  likely  to  operate  counter  to  the 
underlying  pubUc  policy  reasons  for  which  they  were  originally  mandated  -  to  protect 
consumers. 

Life,  disabiUty  income,  and  long  term  care  insurers  need  to  (and,  in  fact,  in  some  states  are 
required  to)  disclose  personal  information  in  order  to  protect  against  or  to  prevent  actual  or 
potential  fraud.  Such  disclosures  are  made  to  law  enforcement  agencies,  state  insurance 
departments,  the  Medical  Information  Bureau  (MIB),  or  outside  attorneys  or  investigators,  which 
work  for  the  insurer.  Any  limitation  on  insurers'  ability  to  make  these  disclosures  would  seem 
likely  to  undermine  the  public  policy  goal  of  reducing  fraud,  the  costs  of  which  are  ultimately 
borne  by  consumers. 

The  continued  ability  to  make  disclosures  to  the  MIB  is  essential  to  insurers'  efforts  to 
combat  fraud,  yet  it  often  comes  imder  attack.  The  purpose  of  the  MIB  is  to  reduce  the  cost  of 
insurance  by  helping  insurers  detect  (and  deter)  attempts  by  insurance  applicants  to  conceal  or 
misrepresent  facts.  A  provision  permitting  individuals  to  withhold  consent  for  insurers  to  make 
disclosures  to  the  MIB  would  require  the  insiu-ance  industry  to  abandon  this  effort  at  combating 
fraud  and  abuse.  It  would  be  like  asking  a  bank  not  to  do  a  credit  check  before  it  issues  a 
mortgage.  The  result  would  be  higher  costs  for  all  consumers. 

ORDINARY  BUSINESS  TRANSACTIONS 

In  the  event  of  a  proposed  or  consummated  sale,  merger,  transfer,  or  exchange  of  all  or  a 
portion  of  an  insurance  company,  it  is  often  essential  that  the  insurer  be  able  to  disclose  company 
files.  Naturally,  these  files  can  contain  personal  information.  Such  disclosures  are  oflen  necessary 
to  the  due  diUgence  process  which  takes  place  prior  to  consummation  of  the  deal  and  are  clearly 
necessary  once  the  deal  is  completed  when  the  newly  created  entity  often  must  use  policyholder 
files  in  order  to  conduct  business. 

Insurers  also  frequently  enter  into  reinsurance  contracts  in  order  to,  among  other  things, 
increase  the  amount  and  volume  of  coverage  they  can  provide.  These  arrangements  often 


188 


necessitate  the  disclosure  of  personal  information  by  the  primary  insurer  to  the  reinsurer. 
Depending  on  the  particular  reinsurance  treaty,  this  might  happen  because  the  reinsurer:  (1) 
wishes  to  examine  the  ceding  insurer's  underwriting  practices;  (2)  actually  assumes 
responsibility  for  underwriting  all  or  part  of  the  risk;  or  (3)  administers  claims. 

If  an  individual  insured  were  to  be  permitted  to  withhold  or  withdraw  consent  for  an 
insurer  to  disclose  personal  information  in  situations  where  the  sharing  of  that  individual's  file  is 
necessary  to  a  merger,  acquisition,  or  reinsurance  arrangement,  that  individual  could  hold 
hostage  or  prevent  a  transaction  likely  to  benefit  hundreds,  or  possibly  thousands,  of  other 
policyholders.  This  would  deprive  other  policyholders  of  the  economies  and  product 
opportunities  for  which  the  transaction  was  originally  sought. 

rV.    SPECIFIC  COMMENTS  ON  H.R.  4585 

As  you  know.  Title  V  of  the  Gramm-Leach-Bliley  (GLB)  Financial  Services 
Modernization  Act  signed  into  law  last  year  provides  American  consimiers  with  the  most 
comprehensive  financial  privacy  protections  in  the  nation's  history.  Under  the  GLB  Act: 

Every  financial  institution  is  required  to  disclose  to  consumers  its  policy  and  practices 
designed  to  protect  the  confidentiality  and  security  of  personal  financial  information  at  the 
start  of  a  business  relationship,  and  at  least  once  each  year  for  the  remainder  of  the 
relationship. 

Every  financial  institution  is  prohibited  fi-om  disclosing  accoimt  nimibers  to  unrelated 
third  parties  for  use  in  direct  marketing,  telemarketing,  or  marketing  through  e-mail  to 
consimiers. 

Consumers  have  the  legal  right  to  say  no  or  to  opt-out  of  the  disclosure,  transfer  or  sale  of 
their  personal  financial  information  to  unrelated  third  parties,  unless  the  disclosure  is  to  a 
service  provider,  pursuant  to  a  joint  agreement  between  financial  institutions,  or  for  an 
ordinary  business  purpose. 

It  a  federal  crime  to  obtain  private  personal  information  fi-om  a  financial  institution  imder 
false  pretenses. 

We  appreciate  that  the  bill  under  consideration  today  follows  the  fi^amework  of  the  GLB 
Act.  It  appropriately  seeks  to  balance  consumers'  confidentiality  requirements  with  financial 
institutions'  need  to  disclose  medical  information,  like  financial  information,  in  order  to  perform 
ordinary  business  fiinctions.  However,  we  beUeve  that  the  bill  fails  to  achieve  this  balance.  We 
are  concemed  about  several  provisions  of  the  legislation. 

GLB  ACT  EXEMPTIONS 

The  bill  fails  to  include  several  of  the  key  GLB  Act  exemptions.  GLB  Act  Section 


189 


502(b)(2)  provides  an  exemption  for  financial  institutions'  disclosures  to  nonaffiliated  third  party 
service  providers.  Section  502(e)  exempts  disclosures  to  nonaffiliated  third  parties  performing 
ordinary  business  functions  for  the  financial  institution.  It  is  absolutely  critical  that  the  same 
exemptions  be  provided  with  respect  to  disclosures  of  individually  identifiable  health 
information  as  have  been  provided  with  respect  to  disclosures  of  financial  information. 
Otherwise,  insurers'  ability  to  service  their  existing  and  prospective  customers  will  be 
significantly  jeopardized. 

The  bill  does  not  provide  an  exemption  for  disclosures  by  a  financial  institution  to 
nonaffiliated  third  parties  performing  services  for,  or  ftmctions  on  behalf  of,  the  financial 
institution.  As  a  result,  every  day  communications  between  an  insurer  and  its  third  party 
contractor  agents  would  be  hindered.  These  communications  are  often  essential  to  an  agent's 
ability  to  best  advise  a  prospective  customer  with  respect  to  which  insurance  policy  (or  policies) 
may  be  best  for  his  or  her  particular  circumstances. 

The  bill  also  fails  to  follow  the  GLB  Act  by  not  including  exemptions  for  disclosures  to 
state  guaranty  funds  or  disclosures  governed  by  the  federal  Fair  Credit  Reporting  Act  (FCRA).  It 
would  seem  to  be  contrary  to  the  public  interest  to  hinder  disclosures  to  state  guaranty  fimds 
which  seek  to  pay  consumers'  claims  in  the  event  of  insurer  insolvencies.  Moreover,  given  the 
GLB  Act's  explicit  language  preserving  the  FCRA,  it  is  unclear  why  the  GLB  Act  exemption  for 
disclosures  governed  by  this  Act  has  not  been  included. 

In  view  of  the  above,  the  ACLI  strongly  urges  that  the  bill  be  amended  to  include  all  the 
GLB  Act  exemptions.  In  this  event,  the  bill  still  would  address  consumers'  confidentiality 
concerns  relating  to  their  individually  identifiable  health  information  without  uimecessarily 
jeopardizing  insurers'  ability  to  best  serve  consumers  which  come  to  them  for  insurance  products 
and  services. 

RIGHTS  TO  ACCESS,  CORRECT,  AND  AMEND 

Section  2(c)  of  the  bill  would  grant  consumers  an  extremely  broad  right  to  access  and 
correct  individually  identifiable  health  information  held  by  financial  institutions.  The  bill  fails  to 
clearly  protect  fi"om  this  access  information  compiled  in  anticipation  of  or  in  connection  with  an 
investigation  of  fi^ud  or  material  misrepresentation.  It  also  fails  to  clearly  protect  information 
gathered  in  connection  with  legal  proceedings.  This  would  seem  to  be  counter  to  the  public 
interest.  The  ACLI  strongly  urges  amendment  to  clarify  and  appropriately  limit  this  access  to 
that  which  meets  consumers'  legitimate  needs  and  concerns  without  needlessly  jeopardizing  a 
number  of  public  poUcy  goals. 

SPECIAL  REQUIREMENT  TO  PROTECT  MENTAL  HEALTH  INFORMATION 

The  bill  provides  special  protection  for  mental  health  information.  Section  3(a)(3)(A) 
requires  that  the  regulations  issued  to  carry  out  this  Act  include  special  policies  and  procedures 
to  protect  the  confidentiahty  of  mental  health  information.  We  are  concerned  that  requiring 
"special  procedures"  with  regard  to  mental  health  information  will  result  in  the  segregation  of 


65-149    2001  -  7 


190 


this  information  that  could  jeopardize  a  hfe,  disabiHty  income,  or  long  term  care  insurer's  access 
to  this  information.  Insurers  must  be  able  to  access  medical  information  relevant  to  the 
underwriting  and  claims  processes.  Without  access  to  relevant  medical  information  existing  at 
the  time  of  application,  the  insurer  cannot  accurately  calculate  risk.  This  could  result  in 
premiums  that  do  not  fairly  reflect  the  level  of  risk  presented  by  individuals,  resulting  in  adverse 
selection.  Similarly,  without  access  to  relevant  medical  information  during  the  claims  evaluation 
process,  an  insurer  will  have  no  way  to  determine  its  obligation  under  an  existing  insurance 
contract. 

Section  2(a),  amending  the  Gramm-Leach-Bliley  Act  at  502(A)(d)  requires  a  separate  and 
specific  consent  for  mental  health  information.  A  major  objective  of  the  proposed  legislation  is  to 
provide  individuals  with  greater  control  over  their  protected  health  information.  This  can  be 
achieved  without  imposing  unnecessary  burdens  on  the  financial  institutions  that  would  be 
governed  by  the  Act.  Given  adequate  notice  regarding  mental  health  information,  there  is  no 
reason  to  require  a  separate  authorization  for  this  medical  information.  Mental  illnesses  are  real, 
diagnosable,  and  treatable.  The  rules  governing  the  privacy  of  medical  information  should  apply 
equally  to  all  medical  infonnation.  Thus,  the  ACLI  strongly  urges  that  the  bill  be  amended  to 
delete  the  proposed  requirements  for  special  policies  and  procedures  and  separate  consent  in 
relation  to  mental  health  information. 

PREEMPTION 

The  ACLI  supports  the  principle  that  in  the  event  federal  medical  privacy  legislation  is 
considered  by  Congress,  that  legislation  should  preempt  related  state  laws.  Life,  disability 
income  and  long  term  care  insurers  engage  in  interstate  commerce  —  their  customers  should 
know  that  health  information  disclosed  by  these  entities  is  governed  by  the  same  standards  of 
protection,  regardless  of  their  location.  This  bill,  unlike  the  comprehensive  medical  information 
privacy  bills,  deals  exclusively  with  financial  institutions.  The  issues  surroimding  preemption 
that  stalled  the  debate  on  comprehensive  legislation,  including  the  possible  preemption  of  state 
parental  notification  laws,  do  not  exist  in  this  legislation.  Thus,  there  is  no  reason  for  this  bill  not 
to  clearly  preempt  state  laws  in  this  area. 

V.      CONCLUSION 

It  is  imperative  that  any  debate  in  relation  to  medical  records  privacy  be  thoughtful  and  not 
poUtical.  We  have  grave  doubt  that  thoughtful  debate  is  possible  at  this  time  in  the  highly 
poUticized  environment  of  an  election  year.  Any  legislation  in  relation  to  this  issue  must  reflect  a 
careful  balance  of  consumers'  confidentiality  concerns  with  consumers'  insurance  needs.  No 
medical  records  privacy  bill  should  jeopardize  the  current  life,  disability  income,  and  long  term 
care  insurance  marketplace  which  meets  consumers'  insurance  needs.  No  medical  records 
privacy  bill  should  jeopardize  insurers'  ability  to  xmderwrite,  process  claims,  and  perform  other 
core  or  ordinary  insurance  business  functions. 

We  appreciate  that  certain  provisions,  found  in  the  comprehensive  health  information 
privacy  bills,  which  could  significantly  jeopardize  the  current  life,  disabiUty  income  or  long  term 


191 


care  insurance  marketplace,  have  not  been  included  in  this  measure  which  focuses  exclusively  on 
financial  institutions.  We  strongly  urge  that  the  exceptions  outlined  in  the  GLB  Act  that  were 
not  included  in  this  legislation  be  restored.  Finally,  we  also  strongly  urge  you  not  to  raise  issues 
that  have  been  divisive  in  other  medical  privacy  debates,  namely  third  party  liabiUty  issues  under 
a  "business  partners"  concept,  and  excessive  damages  awards,  including  punitive  damages. 

Again,  the  ACLI  greatly  appreciates  your  leadership.  Chairman  Leach,  on  this  issue  so 
important  to  American  consumers  and  those  who  serve  them.  This  industry  has  a  long  history  of 
dealing  with  medical  information  in  an  appropriate,  confidential  fashion.  Over  the  past  200 
years,  we've  earned  the  trust  of  our  customers.  And  we  intend  to  keep  it. 


192 

Con  Aden tiality  of  Financial  Information 

Principles  of  Support 

Life  insurers  provide  financial  security  for  millions  of  Americans  through  life,  long-term  care, 
and  disability  income  insurance  and  annuities.  To  enable  companies  to  provide  products  that 
meet  an  individual's  or  family's  unique  needs,  insurers  ask  questions  and  collect  financial 
information. 

Life,  disability  income  and  long-term  care  insurers  recognize  consumers  are  concerned  about 
revealing  financial  information.  They  want  to  know  how  the  information  wall  be  used  and  who 
will  have  access  to  it.  Life  insurers  should  have  policies  and  practices  that  address  these 
concerns  and  protect  confidentiality. 

Insurance  companies  strongly  support  the  following  principles,  which  require  financial 
information  to  be  treated  confidentially. 

Separate  Principles  for  Medical  and  Financial  Information 

Life  insurers  recognize  that  customers  have  special  concerns  regarding  medical  information. 
Therefore,  insurers  have  separate  poHcies  and  practices  for  securing  the  confidentiality  of 
medical  information. 

Strict  Policies  and  Practices  to  Protect  Financial  Information 

An  insurer  will  have  pohcies  and  practices  in  force  to  protect  the  confidentiality  and  security  of 
financial  information.  These  policies  and  practices  are  designed  to  protect  the  information  from 
unauthorized  access  and  use  so  that  customers  are  not  substantially  harmed  or  inconvenienced. 

Customer  Notification  of  Confidentiality  and  Security  Policies 

Customers  will  be  notified  of  the  policies  and  practices  an  insurer  follows  to  protect  the 
confidentiality  and  security  of  their  financial  information.  The  insurer  wall  give  customers  a 
notice  of  its  policies  and  practices  before  or  at  the  time  a  contract  is  issued,  and  after  that  on  an 
aimual  basis,  for  as  long  as  the  contract  is  in  force. 

Customer  Access  to  Financial  Information 

Upon  request,  customers  are  entitled  to  have  access  and  correction  rights  to  their  financial 
information  collected  in  coimection  with  an  application  for  life,  disability  income,  and  long-term 
care  insurance  and  aimuities. 

Limitations  on  Sharing  Financial  Information 

An  insurer  may  share  financial  information  to  issue  contracts  and  to  administer  and  service  its 


193 


business.  For  example,  an  insurer  may  share  financial  information  to  facilitate  paying  claims, 
provide  consolidated  financial  statements  of  a  customer's  accounts,  prevent  fiaud,  or  comply 
with  the  law. 

An  insurer  may  share  financial  information  only  with  organizations  that  are  subject  to  the  same 
restrictions  on  information  sharing  as  the  insurer. 

Strict  Rules  on  Sharing  Financial  Information  for  Marketing  Purposes 

An  insurer's  notice  of  policies  and  practices  about  financial  information  will  inform  customers 
that  the  information  may  be  shared  for  marketing  products  and  services  consumers  may  find 
usefiil.  For  example,  an  insurer  may  share  financial  information  within  its  corporate  family,  with 
a  financial  institution  with  which  it  has  a  joint  agreement,  or  with  an  organization  responsible  for 
marketing  the  insurer's  products  and  services. 

The  insurer  will  give  customers  the  opportunity  to  direct  that  financial  information  not  be  shared 
if  the  products  and  services  being  marketed  are  not  offered  through  the  insurer's  corporate 
family,  through  a  joint  agreement  with  another  financial  institution,  or  by  an  organization 
marketing  the  insurer's  products  and  services. 


194 

Confidentiality  of  Medical  Information 

Principles  of  Support 

Life,  long-term  care  and  disability  income  insurance  companies  recognize  an  individual's 
medical  information  is  personal,  sensitive  and  must  be  protected.  Companies  have  policies  and 
practices  in  place  to  protect  the  confidentiality  and  security  of  an  individual's  medical 
information,  and  individuals  have  a  right  to  have  information  about  those  policies  and  practices. 

Insurance  companies  strongly  support  the  following  principles,  which  require  individually 
identifiable  medical  information  to  be  treated  confidentially. 

Strict  Restrictions  on  Obtaining  Medical  Information 

•  Medical  information  will  not  be  collected  without  an  individual's  authorization  in 
connection  with  an  apphcation  for  life,  long-term  care  and  disabihty  income  insurance. 

Strict  Ban  on  Sharing  Medical  Information  for  Marketing 

•  Medical  information  will  not  be  shared  for  marketing  purposes. 

Strict  Ban  on  Sharing  Medical  Information  with  Other  Financial  Companies 

•  Under  no  circumstances  will  an  insiuance  company  share  an  individual's  medical 
information  with  a  financial  company,  such  as  a  bank,  in  determining  eUgibihty  for  a  loan 
or  other  credit  -  even  if  the  insurance  company  and  the  financial  company  are  conmionly 
owned. 

Strict  Restrictions  on  Disclosing  Medical  Information 

•  Any  disclosure  of  medical  information  without  an  individual's  permission  will  be  made 
only  in  limited  circumstances  as  authorized  or  required  by  law.  For  example,  information 
may  be  disclosed  to  facihtate  paying  claims,  and  to  state  insurance  commissioners 
enforcing  consumer  protection  laws. 

•  Disclosures  of  medical  information  will  contain  only  the  information  authorized  by  the 
individual  or  authorized  or  required  by  law.  The  recipient  of  the  information  should  be 
subject  to  the  same  confidentiaUty  standards  as  the  insiu-ance  company. 

•  The  insiu'ance  company  must  inform  an  individual,  upon  request,  what  medical 
information  has  been  disclosed  and  to  whom  it  has  been  disclosed. 

•  An  individual  may  sue  for  actual  damages  if  an  insurance  company  improperly  discloses 
personal  medical  information. 


195 


Strict  Confidentiality  Policies  and  Practices 

•  Life,  long-term  care  and  disability  income  insurance  companies  must  document  their 
confidentiality  policies  and  practices,  and  adopt  internal  operating  procedures  to  restrict 
access  to  medical  information. 

•  An  individual  is  entitled  to  receive  information  describing  the  insurance  company's 
medical  information  confidentiality  policies  and  practices. 

•  Upon  request,  an  individual  is  entitled  to  access  medical  information  collected  in 
connection  with  an  application  for  life,  long-term  care  and  disabiUty  income  insurance 
and  to  obtain  correction  of  inaccurate  medical  information. 

Uniform  Confidentiality  Protection 

•  State  legislation  seeking  to  implement  these  principles  should  be  uniform.  Any  federal 
legislation  seeking  to  implement  the  principles  should  preempt  all  state  requirements 
relating  to  the  confidentiality  of  medical  information. 


196 


Publisher  ol  Consumer  Hepons 


Testimony  of 

Nicole  Season 

Esther  Peterson  Fellow 
Washington  Office 
Consumers  Union 

Before  the 

House  Committee  on 
Banking  and  Financial  Services 

On 

The  Medical  Financial  Privacy  Protection  Act 


June  14,  2000 


197 


Consumers  Union'  (CU)  appreciates  the  opportunity  to  testify  about  medical  and 
financial  privacy  protection,  and  the  sharing  of  medical  information.  CU  has  advocated 
for  medical  privacy  for  many  years.  We  recently  filed  comments  with  the  Department  of 
Health  and  Human  Services  on  their  proposed  rule  for  Standards  for  Privacy  of 
Individually  Identifiable  Health  Information. 

Consumers  Union  believes  that  any  legislation  on  medical  privacy  should  provide 
consumers  ( 1 )  with  the  nght  to  amend  and/or  correct  their  health  information  records;  (2) 
have  access  to  their  medical  records,  and  decide  whether  to  release  individually 
identifiable  medical  or  financial  information,  the  "opt-in"  approach.  We  also  believe  that 
health  care  providers,  financial  institutions  and  other  holders  of  health  and  financial 
information  have  a  duty  to  maintain  the  confidentiality  of  individually  identifiable  health 
information  and  should  be  held  accountable  for  protecting  an  individual's  privacy 
interest.  Because  H.R.  4585  addresses  these  issues.  Consumers  Union  supports 
Chairman  Leach's  legislation,  but  believes  it  should  be  strengthened. 

Americans  support  strong  federally  mandated  protections  for  the  privacy  of 
individually  identified  health  information.  In  1993,  a  Lou  Harris  poll  found  that  97%  of 
those  who  were  surveyed  believed  that  protecting  their  medical  privacy  was  important, 
and  36%  foimd  that  it  was  absolutely  essential.  Another  poll  showed  that  96%  of 


Consumers  Union  is  a  nonprofit  membership  organization  chartered  in  1936  under  the  laws  of 
the  State  of  New  York  to  provide  consumers  with  information,  education  and  counsel  about 
goods,  services,  health,  and  personal  finance;  and  to  initiate  and  cooperate  with  individual  and 
group  efforts  to  maintain  and  enhance  the  quality  of  life  for  consumers.  Consumers  Union's 
income  is  solely  derived  from  the  sale  of  Consumer  Reports,  its  other  publications  and  from 
noncommercial  contributions,  grants  and  fees.  In  addition  to  reports  on  Consumers  Union's  own 
product  testing,  Consumer  Reports  with  approximately  4.5  million  paid  circulation,  regularly, 
carries  articles  on  health,  product  safety,  marketplace  economics  and  legislative,  judicial  and 
regulatory  actions  which  affect  consumer  welfare.  Consumers  Union's  publications  carry  no 
advertising  and  receive  no  commercial  support. 


198 


Americans  believed  that  rules  should  be  implemented  to  state  which  individuals  have 
access  to  medical  records  and  the  information  that  they  can  obtain.  My  testimony  today 
will  focus  on  issues  that  are  of  primary  concern  to  consumers  —  notice  and  consent, 
sharing  of  information  within  multi-business  corporations,  and  the  ability  to  amend  and 
correct  their  information. 

The  bill  provides  that  a  financial  institution  may  not  disclose  any  consumer's 
individually  identifiable  health  information  unless  it  has  provided  clear  and  conspicuous 
written  notice,  an  opt-in  measure  for  consumers,  and  has  obtained  written  consent  by  the 
consumer  that  has  not  been  withdrawn.  Consumers  should  be  given  written  notice  in 
plain  language  of  how  their  individually  identifiable  health  information  will  be  used  and 
by  whom.  This  notice  should  explain  which  information  will  be  collected,  for  what 
purpose  it  will  be  used,  how  it  will  be  protected,  and  the  consequences  of  providing  or 
withholding  requested  information. 

Individually  identifiable  health  information  provided  to  a  financial  institution  by  a 
consumer  should  not  be  transmitted  to  anyone  else  including  affiliates  and  third  parties 
without  the  consumer's  informed  consent.  The  fact  that  the  bill  provides  that  consumer 
consent  has  to  be  given  before  the  release  of  private  health  information  can  be  made  is  of 
utmost  importance.  Personal  information  should  not  be  shared  unless  consumer, 
authorization  has  been  secured  for  a  specific  use.  There  should  also  be  special 
procedures  implemented  for  those  who  are  disabled.  This  is  important  in  such  cases 
where  a  disabled  person  is  incapable  of  giving  written  consent.  There  needs  to  be 
procedures  in  place  to  allow  a  fiduciary  to  act  on  the  individual's  behalf  This  "opt-in" 


199 


measure  affords  greater  privacy  protection  for  consumers  because  it  allows  them  to  give 
informed  consent  to  share  their  highly  sensitive  health  information  before  that 
information  can  be  shared  by  financial  institutions. 

To  protect  medical  privacy,  it  is  important  that  the  "opt-in",  which  waives  the 
privacy  interest,  should  be  clear.  Because  consumers  may  never  read  these  broad  forms, 
specific  disclosures  need  to  be  given  regarding  medical  privacy.  General,  boilerplate 
consent  forms,  which  contain  provisions  that  allow  private  information  to  be  dispersed  to 
a  broad  range  of  entities  deserve  scrutiny. 

In  addition  to  covering  the  sharing  of  information  with  third  parties,  this  bill 
extends  those  protections  to  the  sharing  of  information  with  affiliates.  This  makes  clear 
the  intent  of  the  bill  is  to  ensure  that  health  information  is  not  shared  with  any  other  party 
without  the  consumer's  consent.  Many  consumers  do  not  understand  the  distinctions 
between  affiliates  and  third  parties.  Financial  institutions,  especially  in  the  aftermath  of 
financial  modernization,  may  consist  of  a  family  of  companies.  Those  companies  may 
offer  everything  from  insurance  to  investment  products.  If  the  bill  did  not  cover 
affiliates,  health  information  could  be  shared  throughout  all  these  companies  and  could 
be  used  inappropriately. 

The  bill  provides  that  a  financial  institution  shall  amend,  correct,  or  delete 
material  information  identified  by  a  consumer  that  is  materially  incomplete  or  inaccurate, 
or  shall  notify  the  consumer  of  its  refusal  to  do  so.  In  doing  so,  the  institution  must  give 
reasons  for  its  refusal,  the  identity  of  the  entity  that  created  the  information,  and  refer  the 
consumer  to  that  person  in  order  to  amend  or  correct  the  information,  or  file  a  statement 
of  what  the  consumer  believes  should  be  the  correct  information. 


200 


Consumers  should  have  the  right  to  ensure  the  accuracy  of  their  own  health 
information.  Consumers  should  also  have  the  abihty  to  amend  and  correct  inaccurate 
information.  Should  a  consumer  consent  to  sharing  their  health  information,  inaccurate 
information  may  have  serious  consequences  for  them.  For  example,  they  could  be 
declined  insurance  coverage  because  their  records  falsely  indicate  that  they  have  a  poor 
medical  history.  Therefore,  it  is  important  that  a  proper  system  be  implemented  to  allow 
consumers  to  amend  and/or  correct  any  mistaken  or  inaccurate  information.  It  is  also 
important  for  the  consumer  to  receive  notice  of  any  refusal  and  the  identity  of  the  original 
creator  of  the  disputed  information. 

The  Fair  Credit  Reporting  Act  can  serve  as  a  model  for  the  regulators  to  use  to 
implement  this  requirement.  Specifically,  we  are  concerned  that  one  of  parties  who  has  a 
vested  interest  in  this  information  is  not  allowed  to  make  a  blanket  determination  as  to 
whether  the  disputed  information  is  included  or  shred  with  other  parties.  Though  the  bill 
allows  a  consumer  to  receive  information  about  the  original  creator  of  the  disputed 
information,  covered  entities  may  not  implement  full  and  fair  procedures  to  handle 
discrepancies  in  individuals'  medical  records.  They  should  not  be  allowed  to 
automatically  deny  a  consumer's  request  to  amend  and  correct  medical  information.  The 
FCRA  provides  a  proper  framework  for  giving  consumer's  the  ability  to  amend  and 
correct  inaccurate  information,  because  it  provides  a  heightened  standard  of  fairness. 

We  believe  that  the  FCRA  is  relevant  in  this  context  because  it  governs  the 
accuracy  of  infonnation  contained  in  financial  records,  the  importance  of  which  is  similar 
to  medical  information.    Therefore,  medical  records  should  be  afforded,  at  a  minimum, 
the  same  level  of  protection  that  is  given  to  financial  records  under  the  FCRA. 


201 


There  are  additional  concerns  about  H.R.  4585  that  we  share  with  other  consumer 
advocates.  The  exceptions,  if  any,  should  be  limited.  The  bill  should  not  contain  any 
loopholes  that  would  allow  financial  institutions  to  share  a  consumer's  medical 
information  counter  to  the  intent  of  this  bill.  Also,  a  financial  institution  should  not  be 
allowed  to  use  health  information  about  a  consumer  without  the  consumer's  consent,  not 
just  for  decisions  regarding  a  loan  or  credit,  but  for  any  product  or  service  offered  by  the 
institution  to  the  consumer.  We  are  also  concerned  about  health  information  that  may 
already  be  in  the  financial  institution's  possession.  If  the  intent  of  this  bill  is  to  stop 
information  sharing,  then  it  should  apply  prospectively  to  information  that  banks  have 
already  obtained. 

Consumers  Union  appreciates  the  opportunity  to  testify  on  this  important  issue. 
Consumers  care  about  the  privacy  of  their  health  information  and  this  bill  will  help  to 
protect  that  information  when  dealing  with  increasingly  complex  transactions  in  the 
financial  services  industry. 


202 

Testimony 

of 

A.G.  Breitenstein,  JD,  MPH 

Chief  Privacy  Officer 

ChoosingHealth.com 

(617)283-8483 
ag@choosinghealth.com 

29  Forest  St.  #2 
Somerville,  MA  02143 

Regarding 
H.R.  4585 


Before 
House  Committee  on  Banking  and  Financial 

Services 

The  Honorable  Rep.  Leach 
Chairman 


203 


Good  morning.  Chairman  Leach  and  members  of  the  committee.  Thank  you  for  invitmg  me  here 
to  testify  before  you  on  this  very  important  issue  of  the  privacy  of  personal  health  information. 

Let  me  introduce  myself  My  name  is  A.G.  Breitenstem.  I  am  the  Chief  Privacy  Officer  of  a 
young  Internet  startup  company  known  as  "ChoosingHealth.com."  ChoosingHealth  is  the  first  Internet 
service  of  its  kind  to  allow  patients  to  communicate  with  other  patients  and  with  researchers,  hospitals, 
doctors,  pharmaceutical  companies  and  other  health  industry  vendors  without  having  to  give  up  their 
privacy.  We  are  dedicated  to  the  notion  that  a  patient's  health  information  belongs  to  them  and  is  one  of 
the  most  valuable  resources  that  exists  in  our  burgeoning  information  age. 

1  particularly  want  to  thank  you  for  taking  up  this  very  important  and  very  challenging  issue.  A 
Wall  Street  Journal  Poll  recently  found  that  Americans  consider  the  issue  of  health  pnvacy  to  be  more 
threatening  than  domestic  terronsm.  A  1999  Hams  Poll  found  that  Pnvacy  was  the  number  one  reason 
why  individuals  are  choosing  to  stay  off  of  the  Internet.  And  as  we  have  seen  to  date,  few  legislative  or 
regulatory  solutions  have  succeeded  in  properly  addressing  this  issue. 

But  the  urgency  of  this  problem  is  clear.  In  the  discussions  that  I  have  had  with  health  care 
practitioners,  the  current  lack  of  patient  confidentiality  has  already  had  a  profound  impact  on  the  way  in 
which  they  practice  medicine.  Dr.  Nancy  Dickey,  past  President  of  the  AM  A,  has  stated  that  "these  days 
insurance  companies  don't  want  summaries;  they  want  the  whole  record.  So  I  think  twice  about  what  I 
include.  Then  I  hope  that  I  can  remember  it  all. ..If  my  patients  fear  that  what  they  tell  me  could  comeback 
to  haunt  them,  they'll  tend  to  be  less  forthright.  I  may  come  up  with  the  wrong  treatment  because  I  was 
chasing  the  wrong  clues." 

Dr.  Dickey  is  not  alone.  I  once  spoke  with  one  physician  who  reported  to  me  that  his  wife,  also  a 
doctor,  routinely  "doodled"  in  the  margins  of  her  medical  records.  And  that  her  doodles  were,  in  fact, 
coded  messages  to  herself  regarding  her  patient's  medical  histories.  She  felt  the  need  to  protect  this 
information  because  these  records  are  routinely  sent  to  insurance  companies  and  often  accessible  to 
employers  and  others.    She  was  rightly  concemed,  however,  that  the  care  of  her  patient  might  be 
compromised  if  anything  happened  to  her  and  no  one  was  able  to  decipher  her  doodles. 

This  dramatic  loss  of  privacy  has  been  made  worse  by  the  increasing  demands  of  the  "health  care 
system"  for  information  that  was  previously  held  within  the  one-on-one  doctor-patient  relationship.  As  Dr. 
Ricardo  Lewitus  a  pediatrician  has  stated: 


204 


Insurance  companies  are  requesting  us  as  part  of 'well  visits'  to  ask  and  document 
(which  I  have  no  problem  with)  questions  such  as:  Do  you  have  sex?  Do  you  masturbate? 
How  are  your  relationships  with  your  parents,  friends'!'  Have  you  had  an  abortion?  And 
many  others.  As  1  said.  1  have  no  problem  asking  these  questions.  What  disturbs  me  is  the 
access  that  insurance  companies  have  to  that  information  and  therefore  anybody  else  that 
wants  or  can  legally  obtain  those  records.  We  physicians  are  in  a  Catch  22.  If  we  document, 
patient  confidentiality  can  be  destroyed;  if  we  do  not  document  then  we  are  classified  as  'bad 
doctors.'  As  a  pediatrician,  I  am  very  concerned  about  how  information  available  to  third 
parties  will  affect  these  children's  futures. 


These  stories  show  us  that  patients  are  being  forced  into  an  awful  choice  between  their  health  and 
their  privacy.  For  many,  especially  those  with  HIV,  mental  illness,  genetic  disorders,  etc,  this  choice  can 
be  gut  wrenching  and  destructive.  Your  efforts  here  in  legislating  this  issue  will  have  a  profound  impact 
on  the  integrity  and  effectiveness  of  the  health  care  system  as  well  as  the  personal  integnty  of  each  and 
every  one  of  us.  I  am  here  before  you  today  to  support  you  in  your  efforts  to  protect  this  valuable  and 
common  resource  we  now  know  as  our  health  privacy.  The  proposed  legislation  is  a  good  first  step.  I 
would  like  to  commend  you  for  tackling  this  issue  and  to  make  a  few  suggestions  for  improvement.  I  am 
also  here  to  give  you  some  sense  of  how  your  efforts  in  this  effort  are  going  to  shape  the  future  of  health 
privacy,  health  care  and  the  wider  realm  of  personal  identity  in  the  new  economy. 

If  there  is  one  thought  that  I  would  like  you  to  take  away  from  my  testimony  today,  it  is  this  one: 
Personal  iDformation,  particularly  health  information,  is  the  new  cash  in  the  digital  age.  Your 
efforts  to  protect  the  privacy  of  personal  health  information  will  set  the  terms  that  will  allow 
individuals  to  negotiate  on  a  level  playing  field  for  the  value  of  this  new  currency.  Without 
adequate  protections  individuals  will  be  robbed  of  a  valuable  resource  and  will  be  reluctant  to 
purchase  the  goods  and  services  they  need. 

What  do  I  mean  by  this  statement?  It  will  help  to  make  a  few  observations. 

1)    When  people  get  stuff  for  "free"  in  our  new  digital  economy,  they  are  generally  paying 
for  things  by  giving  up  some  amount  of  personal  information.  This  is  particularly  true  on 
the  Internet.  E-commerce  sites  have  learned  quickly  that  they  can  offer  "free"  goods  and 
services  by  collecting  vast  amounts  of  personal  information  like  buying  habits,  profiled 
interests,  etc,  and  selling  them  to  others.  Most  websites  have  either  as  their  primary  or 


205 


secondary  source  of  revenue,  some  plan  to  sell  personal  information.  In  this  way,  our  personal 
information  is  used  as  a  stand-m  for  cash. 
2)    Personal  health  information  is  the  most  valuable  of  all  of  the  various  categories  of 

information,  followed  closely  by  one's  financial  information.  As  such,  health  and  fmancial 
information  are  the  most  valuable  of  all  the  bits  of  personal  data  that  can  be  collected.  They 
are  also  the  hardest  to  acquire.  If,  for  instance,  a  bank  has  data  from  the  purchase  of  an  inhaler 
for  my  asthma,  the  fact  that  I  have  asthma  is  significantly  more  valuable  than  the  SIO 
transaction  involving  the  inhaler.  If  I,  as  a  bank,  can  collect  and  sell  a  list  of  people  who  have 
asthma  to  an  unscrupulous  researcher  or  a  direct  marketer  1  can  make  millions  of  dollars. 
Similarly,  information  regarding  my  breast  cancer  diagnosis  can  be  incredibly  valuable  with 
regard  to  my  credit  worthiness  for  a  home  mortgage. 

How  should  these  observations  affect  your  work  on  HR  4585?  Let  me  suggest  the  following. 
Privacy  legislation  will  be  the  backdrop  against  which  the  emerging  digital  economy  will  be  set.  It  will 
have  a  profound  influence  on  the  ability  and  nght  of  consumers  to  negotiate  the  value  of  their  personal 
information  in  exchange  for  those  goods  and  services  they  desire.  You  are,  in  effect,  creating  a  new 
currency  of  sorts.  This  is  a  very  subtle,  but  very  radical  idea.  Your  efforts  here  must  incorporate  this  fact 
and  be  vigilant  in  the  protection  of  personal  health  and  financial  pnvacy.  Let  me  make  a  few  suggestions 
and  observations: 

1)  The  basic  rule  of  consent  must  be  clear  and  unambiguous  with  few  exceptions  and 
full  information.  Consent  establishes  the  right  of  the  individual  not  to  be  robbed  of 
their  personal  data.  If  we  are  venturing  into  a  new  information  age,  we  must  protect  the 
ability  of  the  individual  to  protect  his/her  resources  in  this  realm. 

2)  Health  information  collected  for  one  purpose  cannot  be  used  for  another  purpose 
without  consent.  If  I  use  a  debit  card  to  purchase  an  asthma  inhaler,  I  have  done  so  for 
the  limited  purpose  of  paying  for  the  inhaler.  Any  other  uses  that  I  do  not  consent  to 
rob  me  of  the  value  of  this  personal  information.  Think  of  it  as  a  stock  certificate  that  I 
place  in  a  safe  deposit  box.  Just  because  I  place  that  information  in  the  bank's  custody 
does  not  allow  that  bank  to  treat  it  as  its  own.  Secondary  uses  of  that  information 
without  my  consent  should  be  prohibited,  particularly  when  those  secondary  uses  could 
affect  my  access  to  things  like  access  mortgages,  loans  etc. 


65-149    2001-8 


206 


3)  As  the  banking  and  insurance  functions  begin  to  merge  it  is  going  to  be  exceedingly 
important  to  build  a  fire-wall  between  these  t^*o  areas.  People  should  not  be  forced 
by  virtue  of  the  privileges  we  as  a  society  have  granted  corporations  to  choose  between 
their  health  and  their  ability  to  own  a  home  or  a  car.  If  the  insurance  side  of  a  business 
is  aware  that  I  have  been  diagnosed  with  breast  cancer,  the  banking  side  should  not  then 
be  allowed  to  bar  my  ability  to  get  a  home  mortgage. 

4)  Individuals  must  have  a  private  right  of  action  to  enforce  their  claims  on  their 
personal  health  information.  Data  is  property.  If  there  is  one  thing  we  have 
historically  protected  in  this  country,  it  is  the  right  of  an  individual  to  protect  his/her 
property.  The  failure  to  do  so  here  will  not  only  adversely  affect  health  care,  but  will 
also  set  a  dangerous  precedent  in  the  new  information  era.  You  will  make  individuals 
into  helpless  dependents  upon  the  state  for  protection  of  one  of  the  most  valuable 
resources  in  our  new  economy.    I  cannot  stress  how  pernicious  this  will  be  to  our 
fledgling  Internet  economy. 

Let  me  close  by  saying  this.  Many  of  my  esteemed  colleagues  will  testify  today  that  privacy 
protections  are  going  to  drive  up  costs  and  stifle  economic  growth.  I  want  to  challenge  their  argument 
head  on.  Personal  information  is  a  resource.  It  has  value  and  as  our  economy  shifts  to  an  information 
based  system,  it  will  become  one  of  the  most  valuable  resources  in  the  world.  If  we  rob  individuals  of 
their  data,  we  render  them  penniless  and  powerless  to  participate  freely  and  fairly  in  a  new  free  market. 
We  will  first  feel  this  in  rising  health  care  costs  owing  to  an  eroded  doctor-patient  relationship.  We  will 
then  feel  the  effects  when  people  offer  erroneous  information  or  worse  choose  not  to  participate  at  all.  We 
are  already  seeing  evidence  that  this  is  occurring.  A  1 999  Consumers  League  study  found  that  70%  of 
people  were  unwilling  or  reluctant  to  divulge  personal  or  financial  information  on-line.    A  2000 
CyberDialogue  poll  found  that  40%  of  women  who  have  never  made  a  purchase  online  cited  privacy, 
security  and  a  lack  of  regulation  as  the  major  barriers.  Without  adequate  privacy  protections,  we  will 
stifle  this  exciting  new  driver  of  our  economic  growth.  I  urge  you  to  make  this  bill  as  strong  as  possible 
and  to  give  the  people  of  this  country  the  right  to  control  the  data  that  is  a  reflection  of  their  most  intimate 
selves  and  that  will  represent  them  in  the  new  digital  economy. 

Thank  you  for  your  time  today.  I  look  forward  to  working  with  you  on  this  important  legislation 
and  would  be  happy  to  offer  any  help  I  can. 


207 


PRIVACY  TIMES  ^^^ 


Testimony  of 

Evan  Hendricks,  Editor/Publisher 
Privacy  Times 
wwwpnvacytimes-com 

Before  The  House  Committee  on  Banking  &  Financial  Services 

June  14,  2000 

Mr.  Chairman,  thank  you  for  the  opportunity  to  testify  before  the  Committee. 
My  name  is  Evan  Hendricks,  Editor  &  Publisher  of  Privacy  Times,  a  Washington 
newsletter  since  1981.  For  the  past  23  years,  I  have  studied,  reported  on  and 
published  a  wide  range  of  privacy  issues,  including  credit,  medical,  employment, 
Internet,  communications  and  government  records.  I  have  authored  books  about 
privacy  and  the  Freedom  of  Information  Act.  I  have  served  as  an  expert  witoess  m 
litigation,  and  as  an  expert  consultant  for  government  agencies  and  corporations. 

Mr.  Chairman,  I  am  particularly  heartened  by  your  continued  leadership  on 
privacy,  as  you  arc  consistently  willing  to  give  the  issue  a  fair  hearing.  It  was 
through  this  Committee  that  amendments  to  the  Fair  Credit  Reporting  Act  were 
passed.  And  it  was  you  who  took  the  lead  in  tackling  the  difficult  problems  posed 
by  the  underworld  of  "information  brokers"  who  specialize  in  stealing  individuals' 
confidential  information,  resulting  m  important  legislation.  These  were  all 
bipartisan  efforts  that  also  would  not  have  been  possible  without  the  leadership  of 
the  Committee's  Ranking  Minority  Member,  Congressman  John  J.  LaFalce.  I've 
seen  first  hand  how  Americans  have  benefited  fi-om  your  cooperative  approach  to 
privacy. 

Today's  hearing  represents  another  advance,  as  we  focus  on  the  vital  issue  of 
financial  institutions'  use  of  medical  data.  To  me,  the  issue  is  not  whether  overall, 
HR4585  is  a  good  bill.  For  the  most  part,  it  is.  The  more  imponant  question  is 
whether  the  Committee  should  devote  its  valuable  resources  to  such  a  narrowly 
targeted  bill  at  a  time  when  there  are  many  broader  privacy  issues  that  need  to  be 
addressed.  I  favor  a  broader  approach. 


Privacy  Times.  P.O.  Box  21501,  Washington.  D.C.  20009  •  Tel:  (202)  829-3660  •  ftx:  (202)  829-3653 


208 


The  Bill 

The  legislation  (HR  4585)  is  an  excellent  starting  point  because  it  is  based 
i^on  the  standard  which  must  drive  all  privacy  law:  affiimative,  infonned  consent. 
Specifically,  it  requires  financial  institutions  that  include  insurance  companies, 
insurance  agents  and  other  financial  firms  which  possess  individually  identifiable 
health  information  to  obtain  a  consumer's  afBnnative  consent  before  sharing  that 
information  with  an  afiBliate  or  a  iK)n-afi51iated  third  party.  This  is  the  correct 
standard  because  Americans  generally  don't  differentiate  between  affiUates  or 
outsiders.  However,  they  are  concerned  when  information  they  give  for  one  purpose 
is  used  for  other  purposes  without  their  informed  consent. 

The  measure  generally  requires  consent  before  a  financial  institution  could  use 
health  information  in  deciding  wiiether  to  issue  credit.  The  measure  would  bar 
financial  institutions  from  requiring  consent  for  obtaining  health  data  as  a  condition 
of  providing  a  loan  or  credit. 

Another  positive  feature  of  the  bill  is  that  it  gives  consumers  a  right  of  access 
to  their  medical  data,  and  a  ri^t  to  dispute  the  accuracy  of  that  data.  These  are 
fundamental  rights  that  are  essential  to  privacy  protection. 

The  bill's  language  needs  to  be  ti^tened  to  ensure  that  some  kinds  of 
"consent"  do  not  become  mandatory.  For  mstance,  would  not  want  a  privacy  bill  to 
authorize  a  lender  to  access  the  medical  database  of  its  life  insurance  affiliate 
throu^  some  sort  of  blanket  consent  form.  If  you've  ever  read  the  consent  forms 
typically  used  in  insurance,  banking  and  employment,  you  imderstand  that  this  is  a 
real  danger. 

Another  problem  is  the  limitation  of  coverage  to  "loan  or  credit"  granting. 
This  leaves  open  the  possibility  that  medical  information  held  by  financial 
institutions  could  be  used  for  marketing,  pre-screening  and  employment. 

A  Broader  Approach  Is  Needed 

Given  the  limited  scope  of  HR  4585,  and  the  need  to  protect  privacy  of  all 
kinds  of  financial  information,  I  strongly  urge  the  Committee  to  use  the  Clinton 
Administration's  financial  privacy  legislation,  introduce  m  the  House  by 
Rep.  LaFalce,  as  the  starting  point.  This  bill  better  addresses  the  broader  issues  of 
financial  privacy  that  were  not  adequately  addressed  by  last  year's  Gramm-Leach- 
Bliley  Act. 


209 


A  Blueprint  For  Protecting  Privacy  In  America 

Privacy  is  inadequately  protected  in  the  United  States  because  of  major  gaps 
in  our  national  laws.  The  traditional  approach  has  been  to  introduce  narrowly 
tailored  privacy  bills  has  specific  problems  are  identified.  This  has  left  us  with  a 
hodge-podge  of  privacy  laws,  such  as  the  Fair  Credit  Reporting  Act,  the  Cable 
Television  Privacy  Act,  the  Video  Rental  Privacy  Protection  Act,  the  Telephone 
Consumer  Protection  Act  and  the  Gramm-Leach-Bliley  Act,  to  name  a  few. 

However,  the  United  States  still  does  not  have  national  laws  protecting  the 
privacy  of  retail  and  Internet  records,  medical  records  and  many  kinds  of  financial 
and  insurance  records.  Considering  that  we  are  in  an  "Age  of  Convergence,"  in 
which  various  mediums  like  Internet,  cable,  commimications,  banking  and  wireless 
data  systems  are  converging,  this  approach  is  no  longer  tenable. 

The  most  effective  way  to  achieve  the  much  needed,  more  comprehensive 
approach  is  for  the  Administration  to  propose  a  national  legislative  privacy  package, 
and  to  set  up  "privacy  infrastructure."  Then  the  appropriate  Congressional 
committees  would  be  responsible  for  acting  upon  the  parts  of  the  package  that  come 
within  their  jurisdiction. 

A  major  problem  has  been  that  this  Administration,  like  others  before  it,  has 
refused  to  do  its  part  in  presenting  to  Congress  a  national  legislative  package.  In  this 
Administration,  much  of  the  blame  for  this  falls  on  the  U.S.  Department  of 
Commerce,  >\^ch  has  continued  to  rely  on  industry  setf-regulation  long  after  such 
an  approach  has  proven  ineffective  and  unworkable.  On  the  issue  of  privacy,  the 
Commerce  Department  has  an  inherent  conflict  of  interest  and  should  get  out  of  the 
privacy  pohcy  business  altogether. 

The  good  news  is  that  the  Administration  is  finally  moving  to  fulfill  its 
obUgation,  albeit  in  fits  and  starts.  (Better  late  than  never.)  As  mentioned,  the 
Administration  has  proposed  more  comprehensive  legislation  to  protect  financial 
privacy,  fulfilling  its  promise  to  revisit  privacy  after  the  enactment  of  Gramm- 
Leach-Bliiey. 

The  Federal  Trade  Commission  has  recommended  national  legislation  to 
protect  Internet  privacy.  The  Department  of  Health  &  Human  Services,  due  to 
Congressional  inaction,  has  proposed  rules  to  protect  medical  privacy.  To  its  credit, 
HHS  has  recognized  the  limits  of  its  rulemaking  power,  when  compared  to 
legislation. 


210 


What  is  also  needed  is  what  all  other  Western  nations  have;  An  Independent 
OfiBce  of  the  Privacy  Commissioner.  In  the  U.S.,  such  an  ofiBce  could  do  the 
examine  the  hodge-podge  of  privacy  laws  and  recommend  to  Congress  how  to  bring 
them  in  line  so  there  would  be  greater  consistency  -  a  level  playing  field  for 
Americans  and  the  organizations  that  handle  their  data. 

A  Privacy  Commissioner  would  also  serve  a  public  resource  and  an 
Ombudsman  for  Americans.  Such  an  office  was  proposed  in  legislation  introduced 
during  the  1990s  by  Sen.  Paul  Simon. 

It's  important  to  note  that  the  American  pubhc  has  made  it  clear  that  privacy  is 
a  priority,  and  that  they  want  legal  protection  for  their  personal  data.  A  wide  array 
of  opinion  polls  consistently  confinn  broad  pubhc  support  for  the  kind  of  national 
privacy  pohcy  that  I  have  outline  here. 

That  is  why,  I  beUeve,  at  this  point  in  history,  it  would  not  be  appropriate  to 
invest  scarce  Congressional  resources  m  narrowly  tailored  legislative  proposals  that 
fail  to  address  the  broader  concerns  of  the  American  pubhc. 

Finally,  it  is  time  that  all  parties  recogni2»  that  the  failtire  to  protect  privacy 
adequately  is  hurting  prospects  for  e-commerce.  Studies  show  that  significant 
portions  of  the  pubhc  are  reluctant  to  engage  in  e-commerce  because  of  privacy 
concerns.  Moreover,  they  show  that  a  majority  of  Internet  users  who  begin  to  buy 
online  actually  abandon  their  "shopping  carts"  when  they  are  asked  for  their  credit 
card  nimibers.  The  moral  of  this  story  is  clear:  E-commerce  cannot  be  successfiil 
without  consumer  confidence;  and  without  privacy,  there  will  not  be  consumer 
confidence. 

By  far,  it's  not  too  late  to  solve  this  problem.  It  will  take  a  thoughtfiil  mix  of 
legislative  and  technological  solutions  to  create  a  pro-privacy  environment  in  v^diich 
e-commerce  can  flourish. 

But  if  we  fail  to  undertake  these  steps,  the  next  debate  could,  unfortunately,  be 
over  "Who  Lost  E-Commerce." 

Again,  Mr.  Chairman,  thank  you  for  this  opportunity.  I  would  be  luqipy  to 
answer  any  questions. 


211 


Testimony  Of 
U.S.  Public  Interest  Research  Group 

On  HR  4585,  the  Medical  Financial  Privacy  Protection  Act 

Before  the  Conunittee  on  Banlcing  and  Financial  Services 

Honorable  James  Leach,  Chairman 

14  June  2000 

by  Edmund  Mierzwinski 
Consumer  Program  Director,  U.S.  PIRG 

Mr.  Chairman,  Ranking  Member  LaFalce,  members  of  the  committee:  Thank  you  for  the 
opportunity  to  testify  before  you  on  the  important  topic  of  health  and  financial  privacy.  My 
testimony  today  is  on  behalf  of  the  U.S.  Public  Interest  Research  Group  (U.S.  PIRG).' 

We  want  to  commend  the  Chairman  for  introducing  legislation  that  would  improve  the  privacy 
provisions  of  Title  V  of  the  Gramm-Leach-Bliley  Financial  Services  Modernization  Act  (the  Act). 
As  you  know,  our  organization  is  troubled^  that,  last  year,  when  Congress  enacted  HR  10/S  900  into 
law  as  the  Act,  it  failed  to  adequately  take  into  account  the  consumer  need  for  strong  privacy 
protection  based  not  only  on  notice,  but  on  all  of  the  Fair  Information  Practices.''  The  chairman's 
bill,  HR  4585,  The  Medical  Financial  Privacy  Protection  Act,  is  designed  to  address  one  of  the  most 
important  problems  left  unaddressed  in  Title  V — protecting  medical  financial  privacy. 

Summary 

We  are  pleased  that  the  coverage  of  HR  4585  is  very  similar  to  the  medical  privacy  provisions  of 
the  Administration's  proposal,  HR  4380,  as  introduced  by  Ranking  Member  LaFalce,  Mr.  Markey 
and  others.  Nevertheless,  while  we  generally  support  HR  4585  with  modifications  as  discussed 
below,  we  would  respectfully  point  out  that  we  believe  that  the  more  comprehensive  proposal 
offered  by  the  President,  with  amendments,  should  be  the  one  enacted  by  the  Congress.  HR  4380 
addresses  not  only  medical  financial  privacy,  but  also  closes  the  affiliate  sharing  and  joint 
marketing  loopholes  in  Title  V  and  makes  other  important  changes  that  apply  not  only  to  medical 
information,  but  also  to  financial  information. 

By  carving  out  the  nearly  consensus  issue  of  protecting  medical  financial  privacy,  which  even  the 
banks  are  afraid  to  oppose  too  strongly,  we  fear  that  our  task  in  enacting  the  balance  of  the  missing 
privacy  elements  in  the  Act  will  grow  even  harder.  Nevertheless,  we  commend  the  Chairman  for 
taking  an  important  step  to  protect  medical  financial  privacy  and  urge  him  to  consider  adopting 
strengthening  amendments  to  broaden  the  effect  of  his  important  bill  by  picking  up  more  pieces  of 
the  comprehensive  plan  proposed  by  the  President.  We  believe  that  the  public  concern  for  privacy 
deserves  as  broad  and  rapid  a  response  as  possible.  The  need  to  move  quickly  has  been  exacerbated 
by  passage  of  the  Act,  which  will  encourage  even  more  affiliations  and  more  information  sharing. 

Key  Elements  of  HR  4585  and  Suggestions  To  Improve  HR  4585  And  HR  4380 

Like  the  President's  proposal,  HR  4585  recognizes  that  medical  financial  privacy  deserves  the 
strongest  possible  protections.  Firms  would  be  generally  prohibited  from  sharing  health  information 


212 


without  express  opt-in  consent.  Further,  several  elements  of  the  Chairman's  bill  infer  a  very  high 
standard  of  express  consent  before  sharing,  notably  its  provision  that  use  of  information  already 
held  requires  consent  and  its  provision  that  mental  health  information  be  subject  to  special  separate 
consent.  These  are  important  provisions. 

We  would  suggest  that  the  following  amendments  to  either  the  Chairman's  bill,  the  President's  bill, 
or  both.  In  addition,  we  have  discussed  the  bill  with  the  American  Civil  Liberties  Union,  the 
Georgetown  University  Health  Privacy  Project  and  Consumers  Union,  and  associate  ourselves  with 
their  remarks  on  other  aspects  of  the  bills  that  need  strengthening. 

Exceptions:  First,  both  bills  have  broad  exceptions  provisions.  We  believe  that  there  may 
not  be  adequate  public  policy  justification  for  all  of  the  exceptions  sought  and  would  urge  the 
committee  to  carefully  reevaluate  each  of  the  uses  that  have  been  proposed  to  be  exempt  from  the 
privacy  protections  of  the  two  bills. 

Non-Coercion/Boilerplate  Consent:  We  believe  that  consent  is  a  necessary  but  not 
sufficient  condition  for  obtaining  and  using  medical  financial  information.  Section  4  of  HR  4380 
establishes  that  all  consumers  be  treated  equally,  whether  they  are  customers  of  an  affiliate  or  not. 
The  Chairman's  bill  appears  to  have  a  parallel  provision,  although  its  construction  is  somewhat 
different.  Both  bills  may  have  useful  elements  that  should  be  incorporated  into  a  strong  final 
provision.  However,  neither  bill  has  the  additional  provision  common  to  the  strong  medical  privacy 
bills  introduced  in  this  Congress — an  express  requirement  that  no  treatment  be  conditioned  upon 
provision  of  consent. 

"Loans  or  Credit:"  Important  parts  of  the  Chairman's  bill  restrict  its  applicability  to  the 
provision  of  "loans  or  credit"  but  not  to  other  products  and  services  offered  by  or  anticipated  to  be 
offered  by  either  the  one-stop  financial  supermarkets  or  their  joint  marketing  partners  enabled  by 
the  Act.  The  protections  of  any  medical  financial  privacy  bill  should  apply  across  the  board,  to  the 
use  of  medical  privacy  information  for  any  purpose.  Under  the  limitation  to  "loans  or  credit," 
sensitive  medical  information  could  be  used  for  pre-screening,  marketing,  employment  decisions, 
and  investment  due  diligence  or  other  purposes,  without  consent,  under  the  bill.  Yet,  while  the  HHS 
regulations  under  the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA)  prohibit  such 
uses  for  health  insurers,  this  bill  does  not  prohibit  such  uses  for  numerous  other  insurers  or 
entities — such  as  auto,  life,  property  and  casualty  and  certain  disability  insurers. 

Private  Right  of  Action:  Neither  bill  would  amend  Title  V  to  grant  consumers  a  private 
right  of  action  for  violations.  Consumers  deserve  the  right  to  enforce  violations  of  their  medical 
financial  privacy. 

Access:  The  bill  establishes  that  consumers  have  access  to  their  files  and  a  right  to  correct 
errors.  We  would  strongly  recommend  that  instead  of  establishing  such  a  narrow  right  that  only 
applies  to  medical  financial  privacy,  why  not  take  the  language  of  the  administration  bill  and  amend 
Title  V  to  apply  these  stronger,  important  Fair  Information  Practice  rights  to  all  information  held  by 
financial  services  holding  companies?  This  change  would  obviate  one  of  the  industry's  running 
complaints  about  complexity  of  regulations.  Instead  of  having  strong  access  and  correction 
provisions  apply  only  to  some  information,  make  the  law  less  complex  and  less  burdensome  by 
giving  consumers  these  rights  in  all  information  covered  under  the  Act,  thereby  establishing  only 
one  rule  for  firms  to  comply  with,  instead  of  two. 

Stronger  Law  Controls:  Both  bills  include  language  describing  their  relationship  tu 
HIPAA.  Despite  this  provision,  we  believe  that  there  may  be  overlaps  and  conflicts  between  the 
laws.  We  would  suggest  two  changes.  First,  the  inclusion  of  a  more  explicit  section  that  clarifies 
that  in  all  cases  of  overlap,  the  stronger,  more  pro-privacy  protection  applies.  Second,  we  would 


213 


suggest  that  the  notion  of  describing  a  relationship  to  "regulations,"  rather  than  statutes,  may  prove 
problematic  and  deserves  clarification  before  markup.  For  example,  what  if  the  regulations  are 
amended  under  a  successor  administration? 

Conclusion: 

We  are  pleased  to  support  HR  4585  with  the  modifications  above.  It  closes  important  loopholes  in 
the  Act  and  protects  the  most  sensitive,  unprotected  information  about  consumers  from  misuse.  If 
enacted,  the  bill  would  protect  consumer  medical  financial  privacy  information  through  an  opt-in, 
express  consent  system.  We  are  encouraged  that  both  the  President  and  the  Chairman  of  the 
committee  have  adopted  the  concept  of  opt-in  consent  and  strong  privacy  protection  that  has  been 
supported  by  a  broad  consensus  of  American  privacy,  civil  liberties,  consumer,  and  pro-family 
organizations^  and  championed  by  a  growing,  bi-partisan  number  of  members.  Now,  we  need  to 
extend  the  Chairman's  opt-in  provision  on  medical  information,  and  the  President's  opt-in  provision 
on  medical  information  and  sensitive  financial  information,  to  all  information  held  by  entities  under 
the  Act.*  We  believe  that  the  Chairman's  bill  offers  an  important  template  for  extending  this 
concept.  We  hope  that  the  Chairman,  Mr.  LaFalce  and  the  President  will  work  together  to  expand 
the  Chairman's  bill  before  markup,  so  that  the  final  bill  addresses  other  major  loopholes  in  the  Act. 
Thank  you  for  the  opportunity  to  share  our  views. 

ENDNOTES: 


U.S.  PIRG  serves  as  the  national  lobbying  office  for  state  Public  Interest  Research  Groups.  PIRGs  are  non-profit,  non- 
partisan consumer  and  environmental  advocacy  groups  active  around  the  country. 

For  more  details  on  PIRG's  Financial  Privacy  Platform,  see 
<http://www.pirg.org/consumer/banks/action/privacy.htm> 

'  As  originally  outlined  by  a  Health,  Education  and  Welfare  (HEW)  task  force  in  1973,  then  codified  in  U.S.  statutory 
law  in  the  1974  Privacy  Act  and  articulated  internationally  in  the  1980  Organization  of  Economic  Cooperation  and 
Development  (OECD)  Guidelines,  information  use  should  be  subject  to  Fair  Information  Practices.  Noted  privacy 
expert  Beth  Givens  of  the  Privacy  Rights  Clearinghouse  has  compiled  an  excellent  review  of  the  development  of  FIPs, 
"A  Review  of  the  Fair  Information  Principles;  The  Foundation  of  Privacy  Public  Policy."  October  1997. 
<http://www.privacyrights.org/AR/fairinfo.html  >  The  document  cites  the  version  of  FIPs  in  the  original  HEW 
guidelines,  as  well  as  other  versions:  Fair  Information  Practices  U.S.  Dept.  of  Health,  Education  and  Welfare,  1973 
[From  The  Law  of  Privacy  in  a  Nutshell  by  Robert  Ellis  Smith,  Privacy  Journal,  1993,  pp.  50-5 1 .] 

1. Collection  limitation.  There  must  be  no  personal  data  record  keeping  systems  whose  very  existence  is  secret. 

2. Disclosure.  There  must  be  a  way  for  an  individual  to  find  out  what  information  about  him  is  in  a  record  and  how  it  is 
used. 

3. Secondary  usage.  There  must  be  a  way  for  an  individual  to  prevent  information  about  him  that  was  obtained  for  one 
purpose  from  being  used  or  made  available  for  other  purposes  without  his  consent. 

4.Record  correction.  There  must  be  a  way  for  an  individual  to  correct  or  amend  a  record  of  identifiable  information 
about  him. 

S.Security.  Any  organization  creating,  maintaining,  using,  or  disseminating  records  of  identifiable  personal  data  must 
assure  the  reliability  of  the  data  for  their  intended  use  and  must  take  precautions  to  prevent  misuse  of  the  data. 
*  Of  course,  it  is  our  view  that  HR  4380,  which  adopts  a  mixed  opt-in/opt-out  approach  for  financial  privacy  protection, 
should  be  strengthened  to  a  full  opt-in  approach  across  the  board,  as  HR  3320  (Markey)  would  provide. 
'  For  a  list  of  organizations  that  make  up  the  informal  Shelby-Markey  Financial  Privacy  Coalition,  see  the  letter  16 
groups  sent  to  financial  regulators  last  month  condemning  the  delayed  implementation  of  Title  V,  the  privacy  provisions 
of  the  act,  at  http://www.consumer.org/consumer/glbdelav.htm 

'  And  then,  of  course,  to  resolve  the  egregious  gaps  in  U.S.  privacy  law  by  working  to  extend  opt-in  consent  and  other 
Fair  Information  Practices  to  all  use  of  consumer  information,  whether  financial,  medical,  Internet  or  otherwise. 


214 


^EORgETOff':?^^//VIf'ERS/TY 


GeorfHoam  Public  Policy  Imtlilult 


Testimony  before  the 

U.S.  House  of  Representatives 

Committee  on  Banking  and  Financial  Services 

on 


H.R.  4585 
The  Medical  Financial  Privacy  Protection  Act 


Joy  Pritts,  Senior  Counsel 

Health  Privacy  Project 

Institute  for  Health  Care  Research  and  Policy 

Georgetown  University 


June  14, 2000 


MawMgAddrtu: 

Imsaaufor  HiaU  Can  Rcstarck  and  PoBcj 

2233WisamsaAviiaiiSW  SmuS2S 

Wadimpim  DC  zoom 

ai-tm-OUO    FAX:  201-01-3110 


215 


I.  INTRODUCTION  AND  OVERVIEW 

Mr.  Chairman  and  Members  of  the  House  Committee  on  Banking  and  Financial  Services: 
I  very  much  appreciate  the  invitation  to  testify  before  you  today  on  H.R.  4585,  a  bill  intended  to 
amend  the  Gramm-Leach-Bliley  Act  (also  known  as  the  Financial  Services  and  Modernization 
Act  of  1 999)  in  order  to  fill  the  health  privacy  gaps  in  the  Act. 

The  Health  Privacy  Project  was  launched  in  December  1997  at  the  Institute  for  Health 
Care  Research  and  Policy  at  Georgetown  University.  The  Project  is  dedicated  to  raising  public 
awareness  of  the  importance  of  ensuring  health  privacy  in  order  to  improve  health  care  access 
and  quality,  both  on  an  individual  and  a  community  level.    In  the  past  year,  the  Project  has 
published  a  number  of  resources  on  health  privacy  including  Best  Principles  for  Health  Privacy: 
A  Report  of  the  Health  Privacy  Working  Group;  The  State  of  Health  Privacy:  An  Uneven  Terrain 
(A  Comprehensive  Survey  of  State  Health  Privacy  Statutes);  and  Privacy:  Report  on  the  Privacy 
Policies  and  Practices  of  Health  Web  Sites.  All  of  the  reports  are  available  on  our  Web  site  at 
http://www.healthprivacy.org.  In  addition,  the  Project  coordinates  the  Consumer  Coalition  for 
Health  Privacy,  which  is  comprised  of  a  broad  cross-section  of  consumer  and  disability  rights 
groups  committed  to  educating  and  empowering  healthcare  consumers  to  have  a  more  prominent 
voice  on  health  privacy  issues  at  the  federal,  state,  and  local  levels. 

At  the  outset,  we  would  like  to  express  our  appreciation  to  Chairman  Leach  for  his 
acknowledgment  that  there  are  significant  health  privacy  gaps  in  the  Gramm-Leach-Bliley  Act 
(hereinafter  "the  Act").  We  too  believe  that  there  are  significant  shortcomings  in  the  Act. 

The  primary  purpose  of  the  Act  was  to  enhance  competition  in  the  financial  services 
industry  by  providing  for  the  affiliation  of  banks,  securities  firms,  insurance  companies,  and 
other  providers  of  financial  services.  The  idea  is  to  offer  "one  stop  shopping"  for  financial 
services.  According  to  proponents  of  the  Act,  the  exchange  of  personal  data  between  affiliates  is 
necessary  to  offer  the  kind  of  integrated  financial  services  the  bill  is  supposed  to  promote.  But 
privacy  advocates  are  concerned  that  allowing  the  exchange  of  this  data,  including  medical  or 
health  information,  endangers  the  privacy  rights  of  consumers. 

As  enacted,  however,  the  Act  essentially  allows  the  free-flow  of  a  consumer's  personal 
financial  information  among  affiliates  without  the  knowledge  or  authorization  of  the  consimier. 
The  Act  only  places  restrictions  on  disclosures  to  "nonaffiliated"  third  parties,  and  those 
restrictions  are  de  minimus.  Even  those  restrictions  can  be  circumvented  through  joint  marketing 
agreements. 

In  our  comments  on  the  proposed  regulations  to  the  Act,  we  noted  that  these  deficiencies 
would  best  be  remedied  through  legislation.  As  such,  we  are  pleased  that  the  Chairman  has 
introduced  legislation,  and  has  held  this  hearing  today.  We  also  want  to  acknowledge  that  there 
have  been  additional  efforts  recently  to  amend  the  Act  including  an  Administration  proposal 
introduced  by  members  in  both  the  House  and  Senate,  and  a  separate  bill  introduced  by  Senator 
Shelby  (R-AL). 


216 


Finally,  we  must  highlight  that  the  Department  of  Health  and  Human  Services  is  due  to 
issue  final  health  privacy  regulations  this  fall,  as  required  by  the  1996  Health  Information 
Portability  and  Accountability  Act  of  1996.    The  proposed  federal  health  privacy  regulations 
constitute  a  significant  step  towards  restoring  the  public  trust  and  confidence  in  our  nation's 
health  care.  These  rules,  however,  are  by  no  means  the  fmal  solution.  By  virtue  of  the  limited 
authority  delegated  by  Congress,  the  proposed  rules  have  limited  applicability  and  cover  only 
health  plans,  health  care  clearinghouses,  and  health  care  providers  who  transmit  health 
information  ("covered  entities")  in  electronic  form.  As  such,  a  large  segment  of  those  who  hold 
health  information  remains  beyond  the  scope  of  these  regulations.  Therefore,  it  is  important  that 
the  Financial  Services  Act  be  amended  to  establish  clear  and  enforceable  privacy  rules  for  those 
entities  not  covered  by  the  HIPAA  regulations. 

Our  testimony  today  focuses  on  the  major  provisions  of  H.R.  4585:  restrictions  on 
disclosure;  limitations  on  use;  voluntary  consent;  the  right  to  see  and  correct  health  information; 
and  the  relationship  to  other  laws.  As  background,  we  have  included  brief  information  about  the 
need  to  protect  the  privacy  of  people's  health  information. 


II.        PUBLIC  NEED  AND  DEMAND  FOR  HEALTH  PRIVACY 

The  public  has  consistently  expressed  a  high  degree  of  concern  over  the  vulnerability  of 
their  privacy,  and  the  vulnerability  of  their  health  information  in  particular. 

In  the  absence  of  meaningful  and  enforceable  privacy  protections,  people  are 
withdrawing  from  full  participation  in  their  own  health  care.  People  are  afraid  that  their  health 
records  will  fall  into  the  wrong  hands,  and  lead  to  discrimination,  loss  of  benefits,  stigma,  and 
unwanted  exposure.  A  January  1999  survey  by  the  California  Health  Care  Foundation  found  that 
one  out  of  every  six  people  engages  in  some  form  of  privacy-protective  behavior  to  shield 
themselves  from  the  misuse  of  their  health  information,  including  lying  to  their  doctors, 
providing  inaccurate  information,  doctor-hopping  to  avoid  a  consolidated  medical  record,  paying 
out  of  pocket  for  care  that  is  covered  by  insurance,  and  —  in  the  worst  cases  —  avoiding  care 
altogether. 

Without  trust  that  the  personal,  sensitive  information  they  share  with  their  doctors  will  be 
handled  with  some  degree  of  confidentiality,  people  will  not  fully  participate  in  their  own  health 
care.  As  a  result,  they  risk  inadequate  care  or  undetected  and  untreated  health  conditions.  In 
turn,  the  integrity  of  research  and  public  health  initiatives  that  rely  on  complete  and  accurate 
patient  data  may  also  be  compromised.  Thus,  protecting  privacy  and  promoting  health  care 
quality  and  access  are  values  that  must  go  hand-in-hand. 


217 


in.       STRENGTHS  AND  WEAKNESSES  OF  H.R.  4585 

If  enacted,  H.R.  4585  would  take  a  large  step  forward  in  filling  the  privacy  gaps  in  the 
protection  of  health  information  within  the  context  of  the  financial  services  industry.  However, 
we  do  have  a  number  of  concerns  about  the  bill.  Due  to  the  limited  time  we  have  had  to  review 
this  bill,  we  will  focus  our  testimony  today  on  some  of  the  major  provisions  in  H.R.  4585. 


A.        Increased  Restrictions  on  Disclosure 

One  of  the  major  weaknesses  of  the  Gramm-Leach-Bliley  Act  is  the  minimal  protections 
afforded  by  its  restrictions  on  the  sharing  or  disclosure  of  "nonpublic  personal  information." 
Under  the  Act,  a  financial  institution  can  disclose  nonpublic  personal  information,  including 
individually  identifiable  health  information,  freely  with  its  affiliates  without  any  consent  from 
the  consumer.  As  for  disclosures  to  nonaffiliates,  the  Act  only  requires  notice  of  the  potential 
disclosure  and  an  opportunity  for  the  consumer  to  "opt  out"  of  such  disclosures. 

H.R.  4585  would  improve  these  privacy  protections  in  two  major  ways: 

•  First,  the  restrictions  on  disclosures  would  apply  to  both  affiliates  and 
nonaffiliates. 

From  a  consumer's  perspective  it  is  the  disclosure  of  information  beyond  the  original  record 
holder  that  triggers  concern.  It  makes  little  difference  to  a  consumer  whether  the  recipient  of  that 
information  is  affiliated  with  the  financial  institution.  Therefore,  the  approach  taken  in  H.R. 
4585  is  preferable  to  the  requirements  that  currently  exist  in  the  Act. 

•  Second,  under  H.R.  4585  a  consumer  must  affirmatively  consent  (opt  in)  to  the 
disclosure  of  individually  identifiable  health  information. 

This  approach  parallels  that  taken  in  many  other  areas  of  Federal  privacy  law,  where  "opt  in"  is 
the  norm.  For  example,  a  consumer  "opt  in"  is  required  before  a  tax  prepeurer  could  transfer 
information  fi-om  a  consumer's  tax  return  to  a  fmancial  advisory  affiliate  to  provide  the  consumer 
with  financial  planning  advice.  An  "opt  in"  is  required  before  a  video  rental  store  can  provide 
information  regarding  a  consumer's  videocassette  rentals  to  others.  "Opt  in"  is  required  before 
telephone  companies  can  transfer  information  about  what  telephone  numbers  a  consumer  calls  or 
the  whereabouts  of  the  cellular  phone  the  consumer  is  using  to  other  parties.  "Opt  in"  is  required 
before  cable  television  companies  can  provide  information  about  what  pay-per-view  movies  a 
consumer  is  watching  to  other  parties. 

We  commend  the  adoption  of  an  opt  in  requirement  for  the  disclosiire  of  individually  identifiable 
health  information  within  the  financial  services  context.  However,  it  is  critical  that  this  opt  in  be 
voluntary  and  uncoerced.  (See  "C"  below.) 


218 


B.         Limitations  on  the  Use  of  Individually  Identifiable  Health  Information 

One  of  the  major  concerns  of  health  consumers  is  that  they  might  be  injured  economically 
by  a  financial  institution's  use  of  their  health  information.  The  Act  does  not  address  this  concern. 
H.R.  4585  moves  towards  correcting  this  problem  by  prohibiting  fmancial  institutions  from 
obtaining  or  using  individually  identifiable  health  information  in  deciding  whether  to  issue  or 
continue  credit  or  loans  absent  the  consumer's  affirmative  consent.  We  support  the  general 
concept  behind  this  provision  which  appears  to  alleviate  one  of  the  strongest  concerns  of 
consumers-that  they  might  be  denied  a  loan  or  a  mortgage  due  to  a  health  condition. 

We  are  concerned,  however,  that  this  protection  is  limited  only  to  uses  for 
purposes  of  providing  a  "loan  or  credit"  and  does  not  apply  more  broadly  to  "financial 
transactions"  in  general.  The  current  language  would  allow  uses  of  health  information  obtained 
without  a  consumer's  consent  for  any  insurance  transaction  and  for  any  other  financial 
transaction  that  is  not  the  provision  of  a  loan  or  credit.  We  recognize  that  some  insurance 
transactions  (which  would  fall  in  the  general  category  of  "financial  transactions")  would  require 
the  disclosure  of  health  information.  We  believe,  however,  that  these  interests  could  be  served  by 
obtaining  the  consent  of  the  consumer. 

We  appreciate  the  fact  that  H.R.  4585  attempts  to  limit  the  circumstances  under  which  a 
financial  institution  can  request  a  consumer's  consent  to  receive  health  information.  The  terms  of 
the  limitation,  however,  are  somewhat  confusing. 


C.         Voluntary  Consent 

We  urge  that  H.R.  4585  be  amended  to  include  a  provision  ensuring  that  the  opt  in 
privacy  protection  is  truly  voluntary  and  meaningful.  We  recommend  the  adoption  of  provisions 
that  would  prohibit  financial  institutions  from  conditioning  the  delivery  of  a  financial  service  or 
product  on  the  consumer's  signing  an  authorization  allowing  the  financial  institution  to  receive 
their  health  information.  An  authorization  requirement  is  not  very  meaningful  if  the  consumer 
can  be  coerced  into  providing  such  a  requirement  as  a  condition  of  receiving  a  benefit  or  service. 
We  recognize  that  there  are  some  legitimate  circumstances  for  requiring  an  authorization  for  the 
receipt  of  health  information  as  a  condition  to  providing  some  financial  services  (such  as  some 
types  of  insurance  transactions)  but  these  should  be  the  exception  and  not  the  rule. 


D.         Right  to  See  and  Correct  Health  Information 

H.R.  4585  grants  consumers  the  right  to  access  and  correct  their  individually  identifiable 
health  information  that  is  within  the  possession  of  the  financial  institution.  We  strongly  support 
the  general  concept  behind  this  amendment  to  the  Act.  Financial  institutions  may  base  important 
decisions  on  an  individual's  health  information.  It  is  important  that  the  consumer  be  able  to 


219 


verify  that  this  information  is  accurate  and,  if  necessary,  to  correct  inaccurate  information.  We 
believe,  however,  that  the  right  of  access  granted  is  too  narrow.  The  right  of  access  should  not  be 
limited  to  health  information  that  is  "within  the  possession"  of  the  financial  institution  but  should 
include  information  that  is  within  the  institution's  control. 


E.         Relationship  to  Other  Laws 

As  noted  above,  the  Department  of  Health  and  Human  Services  is  in  the  process  of 
promulgating  privacy  standards  under  the  Health  Insurance  Portability  and  Accountability  Act  of 
1996  (HIPAA).  The  HIPAA  privacy  standards  will  apply  to  many  of  the  same  insurers  that  are 
subject  to  the  Gramm-Leach-Bliley  Act.  We  are  pleased  that  H.R.  4585  expressly  provides  that  it 
does  not  modify,  limit  or  supersede  the  privacy  standards  being  promulgated  by  HHS.  It  appears 
that  this  provision,  in  conjimction  with  other  langimge  in  the  Gramm-Leach-Bliley  Act,  will 
leave  stronger  state  privacy  laws  intact.  As  detailed  in  our  report.  The  State  of  Health  Privacy: 
an  Uneven  Terrain  (A  Comprehensive  Survey  of  State  Health  Privacy  Statutes  (July  1 999)  many 
states  have  detailed  laws  governing  the  use  and  disclosure  of  individually  identifiable  health 
information  by  insurers.  The  state  protections  which  are  stronger  should  stand. 


IV.       CONCLUSION 

While  there  were  unsuccessful  attempts  to  remedy  these  privacy  problems  before  final 
passage  of  the  act  last  simimer,  we  are  heartened  by  your  efforts  to  fuiish  the  job  this  year.  We 
are  available  to  work  with  you  and  the  staff  of  the  committee  in  moving  this  critical  provision 
forward.  H.R.  4585  is  an  essential  piece  of  the  overall  effort  to  ensure  that  Americans  have  basic 
health  privacy  protections.  Through  the  passage  of  this  bill,  the  final  regulations  issued  by  the 
Secretary,  and  other  health  privacy  legislation  being  considered  by  the  Congress,  we  can  help  to 
meet  this  goal. 


220 
Testimony  of 

RONALD  WEIGH 


Partner  -  Zuckerman,  Spaeder,  Goldstein,  Taylor  &  Kolker,  L.L.P. 
Legislative  Consultant  to  the  American  Civil  Liberties  Union 


ON  BEHALF  OF 
THE  AMERICAN  CIVIL  LIBERTIES  UNION 


Before  the 
House  Committee  on  Banking  and  Financial  Services 


on 


"H.R.  4585  -  the  Medical  Financial  Privacy  Protection  Act" 


June  14, 2000 


221 


Mr.  Chairman  and  Members  of  the  Committee:  My  name  is  Ronald  Weich.  I  am  a 
partner  in  the  law  firm  of  Zuckerman,  Spaeder,  Goldstein,  Taylor  &  Kolker,  and  a 
legislative  consultant  to  the  American  Civil  Liberties  Union  (ACLU).  I  am  pleased  to 
appear  before  you  today  on  behalf  of  the  ACLU  to  discuss  the  issue  of  medical  privacy  in 
the  financial  services  industry,  and  to  provide  our  views  on  the  Medical  Financial  Privacy 
Protection  Act  (H.R.  4585)  proposed  by  Chairman  Leach. 

The  ACLU  is  a  nationwide,  non-partisan  organization  of  nearly  300,000  members 
dedicated  to  protecting  the  principles  of  liberty,  fi-eedom  and  equality  set  forth  in  the  Bill 
of  Rights  to  the  United  States  Constitution.  For  almost  80  years,  the  ACLU  has  sought  to 
preserve  and  strengthen  privacy  in  all  aspects  of  American  life. 

My  testimony  is  divided  into  two  parts.  The  first  section  presents  an  overview  of 
the  need  for  medical  privacy  protections  in  federal  law.  The  second  section  discusses  the 
civil  liberties  implications  of  the  Chairman's  proposal  to  address  medical  privacy  in  the 
fmsmcial  industry. 

L         The  Importance  of  Medical  Privacy 

Advances  in  technology  have  brought  about  a  revolution  in  every  aspect  of  health 
care,  including  the  manner  in  which  medical  information  is  maintained  and  disseminated. 
Today,  medical  data  can  be  collected,  combined,  collated,  analyzed  and  distributed  faster 
and  easier  than  ever  before.  Huge  quantities  of  health-related  information  can  be  stored 
electronically  and  transmitted  across  the  country  and  around  the  globe  with  the  click  of  a 
computer  mouse. 


222 


Much  of  this  electronic  activity  benefits  individual  patients  and  facilitates  public 
health  efforts  as  well.  But,  like  many  technological  advances,  society's  increased  reliance 
on  computerized  medical  records  presents  significant  challenges  to  privacy.  In  the 
absence  of  legal  safeguards,  computerization  allows  for  virtually  unlimited  access  to 
medical  records  without  the  knowledge  or  consent  of  the  patient  whose  records  are 
accessed. 

Privacy  is  vital  in  the  health  care  context  because  trust  is  a  fundamental  component 
of  the  doctor-patient  relationship.  Since  medical  records  contain  particularly  sensitive 
and  intimate  information,  patients  are  susceptible  to  humiliation  and  discrimination  in  the 
event  information  from  their  medical  records  is  improperly  disclosed.  If  patients  are  not 
confident  that  their  medical  privacy  will  be  respected,  they  will  be  less  likely  to  seek 
medical  care,  and  less  willing  to  be  candid  with  medical  professionals  about  their  health. 
The  fear  of  losing  medical  privacy,  therefore,  may  lead  to  adverse  health  consequences 
for  individuals.  The  failure  of  individuals  to  seek  medical  treatment  may  also  lead  to 
dangerous  public  health  conditions,  for  example  in  the  areas  of  sexually  transmitted 
diseases  and  substance  abuse. 

At  the  same  time  that  computer  technology  has  made  medical  record  keeping 
vastly  more  efficient  and  therefore  less  reliably  private,  the  confidentiality  of  medical 
records  is  separately  threatened  by  the  trend  toward  economic  integration  of  financial 
institutions,  some  of  which  have  access  to  their  consumers'  personal  medical  information. 
Last  year  Congress  enacted  a  financial  services  modernization  law,  now  known  as  the 
Gramm-Leach-Bliley  Act,  that  dramatically  facilitates  the  merger  of-  and  therefore  the 
sharing  of  information  between  -  banks,  insurance  companies  and  other  financial 
entities. 


223 


The  ACLU  regrets  that  the  financial  services  modernization  law  did  not  include 
stronger  privacy  protections  in  general.  But  we  are  especially  concerned  that  the  bill 
lacks  medical  privacy  protections,  since  medical  information  is  among  the  most  sensitive 
categories  of  information  that  integrated  financial  entities  will  now  be  able  to  share  with 
each  other.  While  we  recognize  that  some  commercial  uses  of  personal  medical 
information  are  legitimate  and  beneficial  to  consumers,  we  believe  that  other  commercial 
uses  of  medical  information  are  illegitimate  and  invasive  of  personal  privacy. 

The  task  for  Congress  now  is  to  sort  out  the  permissible  and  impermissible  uses  of 
medical  information  in  the  financial  services  sector,  and  to  establish  a  process  by  which 
consumers  can  participate  meaningfully  in  decisions  about  their  own  medical 
information. 

It  is  fair  to  ask  why  consumers  have  any  role  at  all  in  this  process,  if  the  records  in 
question  are  generated  and  maintained  by  commercial  entities  rather  than  individual 
patients.  The  answer,  in  our  view,  is  that  patients  ovm  their  medical  records,  and  that 
health  care  providers  or  insurance  companies  who  maintain  those  records  should  be 
viewed  as  custodians  of  the  patients'  property.  We  believe  that  medical  records  in  the 
possession  of  health  care  professionals  or  third  party  payors  are  like  client  files  in  the 
possession  of  attorneys.  The  patient  or  the  client  retains  ultimate  control  over  the 
disclosure  of  information  in  their  records.  If  follows  that  (1)  patients  may  reasonably 
expect  that  their  personally  identifiable  health  information  will  not  be  disclosed  to  anyone 
unless  they  have  given  specific  and  express  written  consent,  and  (2)  medical  records  must 
be  protected  fi-om  unauthorized  access  to  the  fullest  extent  practicable. 


224 


These  straightforward  objectives  are  elusive  because  the  United  States  lacks  a 
coherent  and  consistent  medical  privacy  policy.  A  patchwork  of  state  laws  affords 
varying  levels  of  protection  to  citizens  in  some  jurisdictions.  That  is  insufficient.  The 
ACLU  continues  to  urge  Congress  to  enact  an  omnibus  medical  privacy  law  that  would 
provide  a  consistent  and  reliable  set  of  privacy  protections  for  medical  records  in  all 
settings,  including  the  financial  services  industry. 

In  the  absence  of  such  a  law,  we  have  supported  the  current  regulatory  process  in 
which  the  Department  of  Health  and  Human  Services  is  finalizing  rules  to  implement 
medical  privacy  directives  contained  in  the  1996  Health  Insurance  Portability  and 
Accountability  Act.  The  ACLU  has  submitted  detailed  comments  to  HHS  urging  that 
these  regulations  be  strengthened  in  key  respects. 

It  is  important  that  less  comprehensive  congressional  efforts  to  protect  medical 
privacy,  such  as  this  Committee's  consideration  of  privacy  protections  in  the  financial 
services  industry,  not  hinder  the  broader  efforts  to  enact  a  medical  privacy  policy  through 
statute  or  regulation.  During  consideration  of  the  Gramm-Leach-Bliley  legislation  last 
fall,  we  urged  rejection  of  the  so-called  Ganske  amendment  that  we  believe  could  have 
undermined  the  HHS  regulatory  process.  We  appreciated  the  willingness  of  this 
Committee  to  consider  our  views  and  to  remove  the  amendment  in  conference.  We  also 
appreciate  the  Chairman's  recognition  that  this  is  now  an  issue  that  Congress  must 
address. 

With  these  considerations  in  mind,  I  will  now  turn  to  specific  comments  about  the 
bill  before  the  Committee  today,  H.R.  4585. 


225 

II.        Civil  Liberties  Implications  of  H.R.  4585 

We  commend  Chairman  Leach  for  introducing  a  bill  designed  to  address  the 
significant  deficiencies  of  the  Gramm-Leach-Bliley  law  in  the  area  of  medical  privacy. 
At  the  time  Gramm-Leach-Bliley  was  considered,  some  argued  that  the  generic  privacy 
protections  in  the  bill  were  sufficient  to  meet  concerns  about  the  transfer  of  sensitive 
medical  information  among  financial  affiliates.  The  ACLU  disputed  that  assertion,  and 
we  view  the  introduction  of  H.R.  4585  and  this  hearing  as  a  welcome  acknowledgment 
that  medical  records  deserve  heightened  protection  in  the  financial  world. 

Indeed,  we  hope  that  the  introduction  of  H.R.  4585  signals  a  willingness  by 
Congress  to  reconsider  the  broader  decisions  it  made  about  financial  privacy  in  the 
Gramm-Leach-Bliley  Act. 

In  general,  the  ACLU  supports  an  "opt-in"  privacy  model  under  which 
individually  identifiable  health  information  may  not  be  disclosed  among  component 
entities  of  a  financial  institution  unless  the  institution  provides  notice  to  the  subject  of  the 
information  and  obtains  verifiable  consent  prior  to  disclosure.  While  we  are  pleased  that 
H.R.  4585  generally  adopts  this  approach,  we  believe  there  are  certain  ambiguities  in  the 
proposal  that  should  be  clarified  and  other  improvements  that  should  be  made  during  this 
Committee's  consideration  of  the  bill. 

A  threshold  question  is  the  relationship  between  this  bill  and  the  forthcoming  HHS 
regulations.  Proposed  section  502A(e)  provides  that  nothing  in  the  new  law  would 
"modify,  limit  or  supercede"  standards  promulgated  by  the  Secretary  of  Health  and 
Human  Services.  That  is  generally  the  right  approach,  although  there  may  be  instances  in 


226 


which  this  bill  provides  even  stronger  privacy  protections  than  the  regulations,  and  when 
that  occurs  we  believe  this  law  should  govern.  Whenever  there  is  a  conflict  between  the 
regulation  and  the  law,  the  rule  that  provides  greater  privacy  protection  for  consumers 
should  prevail. 

Let  me  now  suggest  several  specific  ways  in  which  the  protections  in  H.R.  4585 
could  be  strengthened. 

A.        Right  to  Withdraw  Consent 

H.R.  4585  requires  that  before  individually  identifiable  health  information  is 
disclosed  by  a  financial  institution,  the  individual  who  is  the  subject  to  the  information 
must  be  given  written  notice  of  the  disclosure  and  the  financial  institution  must  elicit  the 
affirmative  consent  of  the  individual  prior  to  disclosure  of  records.  This  approach 
embraces  the  fundamental  principle  that  individuals  should  control  the  use  of  their 
medical  records.  But  this  principle  also  dictates  that  a  consumer  should  be  able  to 
withdraw  his  or  her  consent  for  the  use  of  health  information. 

Proposed  secfion  502A(a)(l)(B)  is  ambiguous  on  this  point.  It  provides  that  "[a]ny 
withdrawal  of  consent  is  subject  to  the  rights  of  any  financial  institution  that  acted  in 
reliance  on  the  consent  prior  to  its  withdrawal."  The  bill  does  not  explain  what  the  rights 
of  financial  institutions  are  in  this  regard,  but  we  fear  that  the  allusion  to  such  rights  could 
serve  to  blunt  what  should  be  the  absolute  right  of  a  consumer  to  withdraw  consent.  This 
is  especially  important  in  a  context  where  consent  will  sometimes  be  granted  at  the  outset 
of  a  relationship  between  the  consumer  and  a  financial  institution,  and  the  consumer  will 
subsequently  learn  of  practices  that  he  or  she  regards  as  a  breach  of  privacy. 


227 


We  urge  that  section  502A(a)(l)(B)  be  deleted.  If  a  financial  institution  has,  in 
fact,  detrimentally  relied  on  a  consumer's  prior  consent,  standard  contract  law  principles 
may  provide  legal  rights  that  will  govern  the  transaction  whether  or  not  referenced  in 
statute.  This  ambiguous  provision  can  only  diminish  the  rights  of  consumers  and 
undermine  the  general  principle  that  withdrawal  is  be  effective  upon  receipt  by  the 
financial  institution. 

B.        Right  to  Access  and  Correct  Records 

The  bill  appropriately  includes  a  mechanism  (proposed  section  502A(c))  for 
accessing  and  correcting  individually  identifiable  health  information  contained  in  the 
records  of  financial  institutions.  Damaging  inferences  may  be  drawn  about  an  individual 
fi-om  incorrect  health  information.  The  opportunity  to  prevent  or  minimize  the  harm 
caused  by  inaccurate  data  entries  or  other  incorrect  information  is  fundamental  to 
ensuring  that  individuals  are  treated  fairly  by  those  who  view  their  records.  Accordingly, 
the  process  for  correcting  records  is  critical  to  the  protection  of  the  interests  at  stake  in 
this  bill. 

To  this  end,  proposed  section  502A(c)(l)(A)  should  be  strengthened  to  require  a 
financial  institution  to  provide  customers  with  access  to  information  that  is  "under  the 
control  of  the  financial  institution,"  not  just  information  that  is  "within  the  possession  of 
the  financial  institution."  This  modest  change  prevents  fmancial  institutions  fi-om 
avoiding  the  responsibility  imposed  by  this  provision  simply  by  transferring  its 
information  to  an  affiliated  entity. 


228 

C.        Exceptions  to  Non-Disclosure 

A  significant  flaw  in  H.R.  4585  is  the  broad  scope  of  the  exceptions  it  permits  to 
the  general  rule  of  nondisclosure.  Certain  exceptions  which  facilitate  transactions  or 
which  pertain  to  other  routine  business  functions  of  financial  institutions  may  be 
warranted.  But  the  bill  carves  out  broad  exceptions  in  other  areas  that  severely 
undermine  the  protections  afforded  under  the  general  provisions  of  H.R.  4585. 

First,  it  is  difficult  to  imagine  how  a  financial  institution  could  protect  the 
confidentiality  or  security  of  its  records  pertaining  to  a  customer  by  disclosing  nonpublic 
personal  information  about  the  customer  as  permitted  under  section  502(e)(3)(A)  of  the 
Gramm-Leach-Bliley  Act.  We  urge  that  this  exception  to  the  general  non-disclosure  rule 
should  be  eliminated. 

Second,  the  exceptions  for  persons  "holding  a  legal  or  beneficial  interest  relating 
to  the  customer,"  or  "acting  in  a  fiduciary  or  representative  capacity  on  behalf  of  the 
customer"  as  provided  in  section  502(e)(3)(D)  and  (E)  of  the  Gramm-Leach-Bliley  Act 
unjustifiably  limit  the  privacy  rights  of  minors,  particularly  with  respect  to  their 
reproductive  health  care.  The  proposed  HHS  rules  carefully  address  this  issue,  and 
should  not  be  undercut  by  more  generic  language  in  this  bill. 

Third,  the  exception  for  requests  made  by  law  enforcement  and  governmental 
agencies  is  overly  broad  to  the  extent  that  it  expands  on  the  investigative  exceptions  set 
forth  in  the  Right  to  Financial  Privacy  Act  of  1978,  12  U.S.C.  §3401  et  seq.  and  other 
existing  laws  pertaining  to  the  investigation  of  financial  institutions.  Any  "investigation 
on  a  matter  related  to  public  safety"  should  be  conducted  in  accordance  with  the 


229 


provisions  of  the  Right  to  Financial  Privacy  Act.  The  provisions  of  that  law  are  already 
contemplate  such  investigations  and  any  governmental  unit  conducting  such  an  inquiry 
should  be  compelled  to  comply  with  the  notice  provisions  in  the  1978  Act.  Therefore, 
section  502(e)(5)  of  the  Gramm-Leach-Bliley  Act  should  be  modified  to  clarify  that  no 
expansion  of  existing  law  enforcement  authority  is  intended. 

Fourth,  there  is  no  basis  for  a  financial  institution  to  disclose  individually 
identifiable  health  information  about  its  customers  to  "self-regulatory  orgeinizations." 
Whatever  the  administrative  functions  of  such  organizations,  they  should  be  carried  out 
using  aggregate  or  de-identified  information.  Therefore  this  exception  in  section 
502(e)(5)  of  the  Gramm-Leach-Bliley  Act  should  not  be  applicable  to  individually 
identifiable  health  information. 

Finally,  section  502(e)(8)  of  the  Gramm-Leach-Bliley  Act  duplicates  the 
exceptions  set  forth  in  section  502(e)(5).  We  propose  that  for  clarity's  sake,  the  provision 
should  be  modified  to  reflect  that  this  exception  pertains  only  to  judicial  proceedings 
involving  or  action  taken  by  governmental  regulatory  authorities  with  jurisdiction  over 
the  financial  institution.  Any  law  enforcement  or  other  government  agency  seeking 
individually  identifiable  health  information  about  a  particular  person  must  comply  with 
the  Right  to  Financial  Privacy  Act  of  1978. 

D.        Mental  Health  Protections 

The  enhanced  protections  for  mental  health  records  in  H.R.  4585  is  commendable, 
but  should  also  be  afforded  to  information  about  other  sensitive  records  such  as  those 
pertaining  to  reproductive  health,  sexually  transmitted  diseases  and  substance  abuse 


230 


treatment.  Just  as  financial  institutions  should  be  required  to  obtain  a  consumer's 
separate  and  specific  consent  with  respect  to  the  disclosure  of,  for  example, 
psychotherapy  records,  so  should  such  specific  consent  be  required  for  equally  sensitive 
health  records. 

E.  Private  Right  of  Action. 

H.R.  4585  fails  to  provide  consumers  with  a  meaningful  remedy  in  the  event  their 
individually  identifiable  health  information  is  improperly  disclosed.  Regulatory  oversight 
of  financial  institutions  is  an  insufficient  means  of  policing  the  vast  financial  services 
industry.  The  absence  of  a  private  right  of  action  is,  of  course,  one  of  the  limitations  of 
the  HHS  medical  privacy  regulations  as  well.  Congress  should  establish  a  mechanism  for 
individuals  to  receive  compensation  for  wrongfiil  disclosure  of  their  identifiable  health 
information  in  order  to  deter  this  conduct. 

F.  Genetic  Privacy 

While  H.R.  4585  creates  an  opportunity  for  consumers  to  consent  to  the  disclosure 
of  their  health  information  to  financial  entities,  it  does  not  fully  address  circumstances  in 
which  disclosure  of  health  information  should  not  be  permitted  because  the  information 
should  never  be  used  for  commercial  purposes.  The  primary  example  of  that  concern  is 
the  potential  disclosure  to  insurers  and  others  of  genetic  information  about  individual 
consumers. 

Scientists  will  soon  complete  a  map  of  the  entire  sequence  of  human  genes.  While 
this  breakthrough  holds  great  promise  for  improving  medical  treatments,  it  also  presents 
unique  challenges  to  principles  of  privacy  and  non-discrimination.  The  ACLU  believes 


231 


that  genetic  information  should  not  be  a  basis  to  discriminate  against  individuals  in 
employment  or  insurance,  for  three  reasons: 

First,  it  is  inherently  unfair  to  discriminate  against  someone  because  of  immutable 
characteristics  that  do  not  limit  their  abilities. 

Second,  the  mere  fact  that  someone  has  a  genetic  predisposition  to  a  health 
condition  is  an  unreliable  basis  to  act  on  the  assumption  that  he  or  she  will  actually 
develop  that  condition  in  the  future.  Genetic  tests  do  not  show  with  certainty  that  any 
individual  will  eventually  develop  the  disease  or  how  severe  their  symptoms  might  be. 

Third,  the  threat  of  genetic  discrimination  in  insurance  or  employment  may  lead 
individuals  to  decline  genetic  screenings  and  other  health  services  to  avoid  bringing  to 
light  information  that  may  be  used  against  them.  For  example,  the  Journal  of  the 
American  Medical  Association  reports  that  only  57%  of  women  at  risk  for  breast  cancer 
seek  genetic  testing,  and  84%  of  those  who  decline  the  test  do  so  because  they  fear 
genetic  discrimination. 

Congress  has  before  it  legislation  to  protect  all  Americans  against  discrimination 
based  on  their  genetic  information.  Senator  Daschle  and  Congresswoman  Slaughter  have 
each  introduced  legislation  (S.  1322;  H.R.  2457)  that  would  provide  comprehensive 
protections  against  genetic  discrimination.  The  ACLU  supports  these  proposals,  and 
urges  that  they  be  incorporated  to  the  maximum  extent  feasible  in  H.R.  4585. 

It  is  especially  important  to  ban  databases  containing  personally  identifiable 
genetic  information.  Once  genetic  information  is  in  the  hands  of  an  insurer  or  employer. 


232 


there  are  corporate  pressures  to  use  it.  Prohibiting  the  compilation  of  personally 
identifiable  genetic  data  would  minimize  this  risk. 


CONCLUSION 

The  American  Civil  Liberties  Union  appreciates  the  opportunity  to  present  its 
views  on  this  important  subject  and  would  welcome  the  opportunity  to  work  with  this 
Committee  as  it  continues  its  consideration  of  H.R.  4585  and  other  medical  financial 
privacy  proposals. 


233 


Statement 

of 

America's  Community  Bankers 

on 

H.R.  4585,  the  "Medical  Financial  Privacy  Protection  Act" 

before  the 

Committee  on  Banking  and  Financial  Services 

of  the 

U.S.  House  of  Representatives 

on 

June  14,  2000 

[Submitted  for  the  Record] 


America's  Community  Bankers  is  pleased  to  submit  testimony  for  today's  hearing  before  the  House 
Banking  and  Financial  Services  Committee  on  medical  information  privacy.  ACB  represents  the 
nation's  community  banks  of  all  charter  types  and  sizes.  Our  members  pursue  progressive, 
entrepreneurial  and  service-oriented  strategies  in  providing  financial  services  to  benefit  their  customers 
and  communities. 

Mr.  Chairman,  ACB  commends  you  for  holding  this  hearing  on  medical  information  privacy  and  your 
legislation,  H.R.  4585,  the  "Medical  Financial  Privacy  Protection  Act."  Given  its  unique  sensitivity 
amonjg  the  general  public,  the  treatment  of  private  medical  information  is  an  issue  which  deserves  close 
examination  by  Congress  in  a  public  forum,  such  as  today's  hearing. 

Community  banks  are  well  aware  of  the  importance  of  protecting  the  confidentiality  of  customer 
information.  Community  banks  across  the  country  are  in  the  midst  of  complying  with  the  requirements 
of  the  most  sweeping  law  in  American  history  to  protect  the  financial  information  privacy  interests  of 
consumers.  The  implementation  of  the  privacy  provisions  of  the  Gramm-Leach-Bliley  Act  (GLBA)  will 
ensure  consumers  of  financial  services  that  their  personal  information  will  continue  to  be  safeguarded  by 
their  local  community  bank  and  other  financial  institutions. 

One  area  of  customer  information  privacy  that  was  not  directly  addressed  by  the  GLBA  was  the 
confidentiality  of  medical  information.  Congress  chose  this  approach,  despite  the  best  efforts  of  you,  Mr. 
Chairman,  to  include  in  the  GLBA  an  opt-in  requirement  for  the  disclosure  of  individually  identifiable 
health  and  medical  information.  ACB  strongly  supported  this  initiative.  Instead,  Congress  made  the 
decision  to  wait  until  the  U.S.  Department  of  Health  and  Human  Services  (HHS)  could  develop  federal 
standards  governing  the  treatment  of  such  information  under  the  authority  of  the  "Health  Insurance 
Portability  and  Accountability  Act  of  1996." 


234 


ACB  continues  to  support  public  policy  that  lenders  receive  the  affirmative  consent  of  a  consumer 
before  that  consumer's  individually  identifiable  health  information  can  be  disclosed  to  another  party. 

Frankly,  the  vast  majority  of  our  members  do  not  have  access  to  individually  identifiable  health 
information,  nor  do  they  seek  to  obtain  such  information  in  making  decisions  to  offer  loans  or  extend 
credit. 

While  ACB  stands  behind  this  public  position  on  medical  information  privacy,  we  do  encourage 
Congress  to  refrain  from  passing  additional  legislation  before  all  currently  authorized  regulatory 
remedies,  such  as  the  regulations  being  developed  by  the  HHS,  are  exhausted.  Legislative  efforts  to 
reopen  the  GLBA,  no  matter  how  targeted,  could  result  in  new,  harmful  restrictions  on  the  ability  of 
community  banks  and  other  financial  institutions  to  legitimately  use  information.  We  do,  however, 
commend  Congressional  efforts,  such  as  today's  hearing,  to  publicly  examine  such  issues  of  public 
concern. 

O 


BOSTON  PUBLIC  LIBRARY 


3  9999  05903  786  9 


i 


